March 2019 THE SPACE SAFETY INSTITUTE

PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

CONTROLLED DISTRIBUTION

1 2 3 4 5 6 7 Introduction System Evolution of Commercial Standards Establishing the Safety Safety Safety System Safety Products Currently Used Space Safety Research Education at NASA Standards in Commercial Institute Program and Development Space Programs Professional and Conformity Training Assessment – An Overview

Page 3 Page 6 Page 19 Page 31 Page 42 Page 45 Page 50 Page 53 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

INDEX

INTRODUCTION...... 3 CHAPTER 4 CHAPTER 1 STANDARDS CURRENTLY USED IN SYSTEM SAFETY...... 6 COMMERCIAL SPACE PROGRAMS...... 42 4.1 - Introduction...... 42 1.1 - What Is System Safety?...... 6 4.2 - United States...... 42 1.2 - Why System Safety Was Developed?...... 7 4.3 - Europe...... 43 1.3 - Key Principles of Risk-Based Design...... 8 1.3.1 - Hazard, Mishap & Risk...... 10 CHAPTER 5 1.3.2 - Hazard Elements...... 11 ESTABLISHING THE SPACE SAFETY INSTITUTE...... 45 1.3.3 - Hazard theory and risk probability...... 12 5.1 - Which regulatory framework after 2023? ...... 45 1.3.4 - Hazard identification...... 12 5.2 - Building the Space Safety Institute ...... 47 1.3.5 - Hazard reduction order of precedence...... 13 5.2.1 - Standardization activities...... 48 1.3.6 - Hazard elimination and limitation...... 13 5.2.2 - Safety Review Panel...... 49 1.3.7 - Hazard design controls...... 13 1.3.8 - Hazard operational controls...... 15 CHAPTER 6 1.3.9 - Safety technical requirements and criteria...... 15 SAFETY RESEARCH PROGRAM...... 50 1.4 - Safety Management System...... 16 6.1 - NESC ...... 50 1.4.1 - Organizational requirements...... 16 6.2 - The Space Safety Institute 1.4.2 - Identifying, documenting, and validating system Research Center...... 51 hazards...... 17 CHAPTER 7 CHAPTER 2 SAFETY EDUCATION AND PROFESSIONAL TRAINING...... 53 EVOLUTION OF SYSTEM SAFETY AT NASA...... 19 7.1 - An Unanswered Need...... 53 2.1 - Human Rating...... 19 7.2 - Educational and Training Programs...... 54 2.1.1 - Launch abort system...... 19 2.1.2 - Early programs...... 20 ANNEX A 2.1.3 - Shuttle payloads and ISS...... 22 COMMENTS ON THE HOUSE FLOOR UPON 2.1.4 - Current NASA Human-rating program...... 25 INTRODUCING A BILL TO ENHANCE THE SAFETY 2.2 - Safety Panels & Safety Authority...... 26 OF COMMERCIAL SPACE FLIGHT...... 55 2.2.1 - Safety Review Panel origin and evolution...... 26 ANNEX B 2.2.2 - Safety governance...... 28 “SAFETY IS NOT PROPRIETARY” STATEMENT CHAPTER 3 TO THE NATIONAL COMMISSION ON THE COMMERCIAL PRODUCTS STANDARDS DEVELOPMENT BP DEEPWATER OIL SPILL AND OFFSHORE DRILLING...... 56 AND CONFORMITY ASSESSMENT – AN OVERVIEW...... 31 ANNEX C 3.1 - Origin of Standards...... 31 EDUCATIONAL AND PROFESSIONAL 3.2 - Definitions...... 32 TRAINIG PROGRAM...... 60 3.3 - Functions of Standards...... 33 C.1 - Safety Education Program...... 60 3.3.1 - Process Management...... 33 C.2 - Space Safety Training Program...... 61 3.3.2 - Public Welfare...... 33 ANNEX D 3.4 - Type of Standards by Development...... 34 ESSENTIAL FEATURES OF A SELF-POLICING SAFETY 3.4.1 - Development of Consensus Standards...... 34 ORGANIZATION FOR THE OIL AND GAS INDUSTRY...... 62 3.5 - Conformity Assessment...... 36 NOTES & REFERENCES...... 63 3.6 - Safety Standards Development and Conformity SPACE SAFETY INSTITUTE STUDY TEAM...... 64 Certification...... 36 3.6.1 - Prescriptive vs. performance safety standards...... 36 3.6.2 - Third-party Safety Certification...... 38 This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without the prior written consent of IAASS.

2 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

INTRODUCTION

or the past 15 years the debate on within a broad framework of mandated products. The pillar of system safety engi- Fcommercial human spaceflight safety policies and rules. neering is to consider the actual system’s has revolved mainly around suborbital hazards instead of pre-defined safety tourism vehicles and has been grounded The need for such organization is rules as design drivers. In other words, on the misconception that safety regu- both practical and strategic. Government the safety features of a system under lations can be established only when as responsible for public welfare (health, development are not pre-defined design enough operational experience is gained, safety and environment), and sometimes rules but the specific risk-mitigation mea- (several years, perhaps decades from as customer, needs assurance that the sures selected by the designer based on now). While the initial enthusiasm for commercial space industry can deliver hazard analysis and generic safety goals. suborbital spaceflight seems to be fad- on promises. However, system safety is The organizational component of system ing away following continuous delays, multidisciplinary and there is a relatively safety, system safety management, is accidents and bankruptcies, the area of limited numbers of people with the req- also essential because it establishes the potential space commercial services is uisite expertise and updated experience conditions and processes that allow to widening and gaining momentum. Within in writing performance requirements and achieve the organization’s safety objec- a decade, human spaceflight operation supporting safety peer-reviews, making tives. Through leadership commitment, in Low Earth Orbit (LEO) may become it hard for regulators to be able to rely trained and competent personnel, safety predominantly commercial. There could solely on its own personnel. In addition, culture, hazards documenting and track- be also important elements of private all the parties involved need assurance ing, and risk management, system safety participation to government Moon and that commercial competition takes place management provides on one side assur- Mars exploration missions, which be- on a level playing field and that safety is ance on the capabilities of the organiza- cause of high costs could also include not compromised by cost cutting efforts. tion, and on the other side it proves their international partners (see ESA/Airbus Sharing data, transparent communica- effective and successful use. DS cooperation with NASA/LMCO on tion and independent risk assessment Orion Spacecraft development). The can provide such assurance. But above The report then goes on describing suborbital industry may evolve away all, industry must recognize and act on the socio-technical evolution of system from space tourism to follow a similar the strategic business value of improving safety at NASA and shows how acci- mixed-users path (see recent agree- on the poor safety record of space pro- dents prevention techniques and safety ments to buy/operate Virgin Galactic grams and for such purpose leadership organization evolved through the years. SS2 in Italy and UK), in particular in the commitment and coordinated research The early NASA approach to space mis- perspective of developing point-to-point and educational efforts of all stakehold- sions safety, in the sixties, was called transportation. As a consequence, there ers are paramount. ‘man-rating’ and consisted of compo- is a strong need to establish harmonized nents testing to improve rockets reli- safety requirements and a system of rec- The proposed Space Safety Institute ability, adding escape systems, and ognition of safety certifications to better builds on concepts, experience and prac- selecting flight profiles that would keep fit commercial space programs into a tices of various programs and sectors accelerations within human tolerance mixed private-government environment. and may be archetypal of future direction limits. Safety was essentially considered in other fields (e.g. aviation). First the re- the ‘natural’ by-product of good design. The purpose of this report is to pro- port introduces the principles of system The idea that accidents could be pre- vide the rationale for the establishment safety, which is the systematic applica- vented by applying systematic risk miti- of a (commercial) Space Safety Institute tion of engineering and management gation techniques came years later. The in the U.S. as “regulated self-policing” principles, criteria and techniques to at- turning point was the Apollo 1 fire acci- entity. It would be an open consortium tain an acceptable level of system risk dent during ground testing in 1967. The of industry, space agencies and regula- control. System safety engineering, also accident’s cause was the use of 100% tors to efficiently perform standardiza- known as risk-based design or safety- pure oxygen atmosphere in the capsule tion and certifications activities, conduct by-design, represents a major departure without any care on selecting compat- joint research, and provide educational from the traditional rules-based design ible materials and removing potential and professional training opportunities, applied to “evolutionary” commercial ignition sources. It was surprising that the

3 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

oxygen fire hazard, at the time already well known and documented in many industries and in the medical field, went uncontrolled. Suddenly it was realized at NASA that making a spacecraft reli- able was in itself not sufficient to make it safe. Reliability assessments and test- ing could not account for certain haz- ardous interactions, for human errors or software faults. The Apollo 1 fire was a fully preventable accident that happened because there was no program for sys- tematic risk identification and control. The accident demonstrated the need for performing hazard analyses through- Bigelow Aerospace BEAM. out design, development and operation phases. Years later, a different kind of accident, an ‘organizational accident’, processes aimed to ensure human pro- but things may change soon) a typical led to the destruction of the Shuttle tection and health while accounting for “evolutionary” industry. Aviation safety Challenger. During Shuttle development, human performance, accommodating standards consist of detailed prescriptive the hazard of hot gas leaking from solid human needs, and giving to crew ulti- requirements built on a large number of rocket booster joints was identified and mate control of the vehicle. The social lessons learned from mishaps and close controlled by use of redundant O-rings. part consists of a check-and-balance calls over a period of more than a century However, the design was deficient as re- system in management and decisional and aimed to specific types of vehicles. vealed by frequent erosions of outer O- processes, involving program organiza- Instead, since the 80’s, space programs ring witnessed by post-flight inspections. tion, independent oversight, and sepa- (and many other fields of advanced tech- Eventually, the Challenger launch of Jan- rate safety authority. nologies) have been using a risk-based uary 1986 in freezing weather conditions approach to system development and (outside the qualification envelope) led to Having discussed the experience so-called “performance standards”. The hot gases leaking and impinging on the gained over almost 60 years of govern- risk-based approach consists in identify- main tank which exploded. The underes- ment space programs, the report goes to ing the potential conditions for mishaps timation of the anomaly and the launch present a general overview of principles starting in the early phases of design and decision that led to the Challenger disas- and practices governing the establish- implementing risk mitigation and control ter were the result of schedule and costs ment and use of commercial products measures consistent with broad safety pressures on the Shuttle program, and standards in U.S. and the associated goals. of poor risk management. Fifteen years conformity assessment activities. Stan- later, something similar happened to the dards may have different purposes than Finally, the report discusses the cur- Shuttle Columbia, although the technical safety, and be of three different types (de- rent U.S. commercial human spaceflight anomaly was different, and the decisional facto, consensus, and mandatory). Con- regulatory framework. On December 23, process failed differently. Those acci- formity assessments can also vary from 2004, President Bush signed the Com- dents demonstrated that human errors, manufacturing statement of conformity, mercial Space Launch Amendments Act hardware failures and software faults are to third-party testing and certification. A of 2004 (CSLAA). The CSLAA made the proximate causes of accidents, and that variety of organizations perform safety Department of Transportation and the ultimate causes originate from unfavor- certifications: independently (e.g. UL), Federal Aviation Administration (DOT/ able organizational conditions. Those under delegation from government (e.g. FAA) responsible for regulating commer- conditions can be prevented by applying American Bureau of Shipping), or in sup- cial human space flight. The law estab- adequate controls on the organization in port of regulators (e.g. Institute of Nuclear lished a moratorium (also called ‘learning charge of design, development and op- Power Operations). The principle that a period’) for safety regulations of flight eration. In other words, the organization’s standard can be established only when participants (crew and passengers) of 8 safety culture, trained personnel, robust experience is gained is well established. years, later extended until 2023, unless processes, independent checks are as We can even say that it reflects the most an accident happens. Unfortunately, the important in preventing accidents as traditional approach to standards devel- rhetoric linked to benefits of certain de- safety technical requirements. Over the opment. However, it fits only products regulations in eliminating trade barriers years, human spaceflight safety at NASA slowly evolving over many decades or was exploited by some parties to pro- matured from the initial ‘man-rating’ nar- even centuries. It is based on the idea of mote the moratorium on safety regula- row scope into an encompassing socio- developing “prescriptive standards” that tions. A lose-lose situation because not technical control system. The technical give details rules about the design. For having minimum safety regulations is part consists of human-centered design example, aviation has been (until now, against the interest of the customer while

4 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

defeating the fundamental interest of in- dustry to operate within a stable set of rules. The CSLAA just requires opera- tors to provide prospective customers with written information about the risks of spaceflight and a statement of the fact that the U.S. government has not certified the vehicle as safe for carrying crew or spaceflight participants. Howev- er, there is one remarkable exception to such rule. The commercial vehicles pro- viding services to the International Space Station (ISS) must comply with the safety requirements of the ISS program and be certified by NASA. (ISS - Intergovern- SpaceX Crew Dragon. mental Agreement (IGA)). Currently the commercial human spaceflight industry is developing suborbital systems (Virgin The CSLAA allows companies to apply be in place when the current moratorium Galactic SS2, Blue Origin New Shepard, whatever level of failure tolerance they expires in 2023. It proposes the estab- etc.) and orbital systems (SpaceX Drag- like in the design, without even requiring lishment of a Space Safety Institute, as a on, Boeing CST-100 Starliner, Bigelow independent verification of the correct cooperative endeavour between in­dustry, Aerospace BEAM, and Dream Chaser for implementation. space agencies and regulators. The dis- Resupply Services). A de-facto double cussion in this report on how to set-up regulatory regime exists (no-regulation/ Curiously, the argument of inflex- and operate the Space Safety Institute is full-regulation) for safety on-board space ibility, costs, and barrier to innovation heavily influenced by the analysis of such vehicles depending if the customer is a used by the commercial human space- institutions performed few years ago by private entity or NASA ISS Program. flight industry to push the case for the the Presidential Committee that investi- moratorium enshrined in the U.S. Con- gated the Deepwater Horizon oil drilling By not requiring industry to estab- gress Commercial Launch Amendments rig disaster of 2010 in the Gulf of Mex- lish safety rules up-front, in line with the Acts (CSLAA) of 2004, is the same that ico. There are in fact some remarkable experience gained through government other advanced industries and the U.S. analogies between the negative attitude space programs, the unintended effect of Government have used to promote the shown by the oil industry before the di- CSLAA has been to encourage industry transition from old-fashioned “prescrip- saster, (they fought for 20 years against to set the clock of their safety practices tive standards” to modern “performance introducing safety management best back to the early 1960s. The CSLAA may standards”. practices), and that of the “New Space” have planted the seeds of the first sub- community in the past 15 years. An ad- orbital flight accident, the Oct. 31 fatal The final part of the report looks to ditional justification for establishing the crash of Virgin Galactic’s SpaceShipTwo. what kind of regulatory framework should Space Safety Institute is to help trans- ferring unique space safety experience, knowledge and skills available at NASA.

In conclusion, the Space Safety In- stitute would support a regulatory model that can react quickly and efficiently to technological advancements while ex- ercising effective controls on commer- cial space systems developments. The Space Safety Institute would perform standardization and system certification activities, as well as educational and re- search activities. The regulator would es- tablish broad policies and keep a general oversight role of institute’s processes and activities, while concentrating on other is- sues, which lie outside the Space Safety Institute scope, as space traffic manage- ment and international coordination. Blue Origin New Shepard.

5 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Chapter 1 SYSTEM SAFETY

criteria and techniques to achieve the 1.1 safety goals of a system. The system safety process consists in the identifi- WHAT IS cation of safety related risks and their To be absolutely safe, elimination and/or control by design and/ SYSTEM SAFETY? or procedures, based on pre-established a system, product, performance safety requirements and criteria meant to represent the optimum device or material o be absolutely safe, a system, prod- achievable objective at the state of art, Tuct, device or material should never and within project’s constraints. The sys- should never cause cause or have the potential to cause an tem safety process activities start in the accident; a goal practically impossible to earliest concept development phases of or have the potential achieve. In the development and opera- a project and continue through design, tion of systems, the term “safety” is used production, testing, operational use, to cause an accident; to mean an acceptable risk level, not ab- and disposal. The core technique used solute safety. for system safety is the Hazard Analysis a goal practically that has several variants, from Function- System safety is the planned, dis- al Hazard Analysis (FTA), to Preliminary impossible to achieve ciplined, and systematic application of Hazard Analysis (PHA), System Hazard engineering and management principles, Analysis (SHA), etc.

System Safety

System Safety System Safety Engineering Management

Safety Risk-based Hazard Risk Safety Requirements & Design Reporting Management Assurance Criteria

6 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Sometimes terms as risk-based de- (establishing audit trails); designing to sign, or safety-by-design are used as eliminate or control hazards and mini- Within eighteen synonyms for system safety engineering. mize damage; maintaining safety infor- System safety is more than just systems mation systems and documentation; and months after the fleet engineering and must incorporate man- establishing reporting and information agement and safety culture concerns. channels. of 71 Atlas F missiles System safety engineering is an impor- tant part of system safety, but the con- became operational, cerns of system safety extend beyond the traditional boundaries of engineering. four blew up in their In 1968, Jerome Lederer, then the direc- 1.2 tor of the NASA Manned Flight Safety silos during Program for Apollo, wrote: WHY SYSTEM operational testing “System safety covers the total SAFETY WAS spectrum of [safety] risk management. It goes beyond the hardware and as- DEVELOPED? While the nuclear power, commercial sociated procedures of system safety aircraft, chemical, and other industries engineering. It involves: attitudes and have taken a conservative approach to motivation of designers and production igorous, defined approaches to sys- introducing new technology, changing people, employee/management rapport, Rtem safety mostly arose after World designs slowly over time, defense and the relation of industrial associations War II, when the Atomic Energy Com- space systems have pushed the technol- among themselves and with government, mission (and later the Nuclear Regulatory ogy envelope, developing tremendously human factors in supervision and qual- Commission) were engaged in a public complex, novel designs that stretched ity control, documentation on the inter- debate about the safety of nuclear pow- the limits of current engineering knowl- faces of industrial and public safety with er; civil aviation was trying to convince a edge, continually introducing new and design and operations, the interest and skeptical public to fly; the chemical indus- unproven technology, with limited oppor- attitudes of top management, the effects try was coping with larger plants, increas- tunities to test and learn from extensive of the legal system on accident investi- ingly lethal chemicals, and heightened experience. In response, a unique ap- gations and exchange of information, the societal concern about pollution; and proach to engineering for safety, called certification of critical workers, political the Department of Defense (DoD) was system safety, arose in these industries. considerations, resources, public senti- developing ballistic missile systems and ment, and many other nontechnical but increasingly dangerous weapons. These When the Atlas and Titan interconti- vital influences on the attainment of an parallel efforts resulted in very different nental ballistic missiles (ICBMs) were be- acceptable level of risk control. These approaches, mostly because the prob- ing developed in the 1950s, system safe- nontechnical aspects of system safety lems they needed to solve were different. ty was not yet identified and assigned as cannot be ignored”.

Using these general principles, sys- tem safety attempts to manage hazards through analysis, design, and manage- ment procedures. Key activities include analyzing system hazards from the top down, starting in the early concept de- sign phase to eliminate or control hazards and continuing during the life of the sys- tem to evaluate changes in the system or the environment; documenting and tracking hazards and their resolutions System safety covers the total spectrum of [safety] risk On September 19th, 1980, a Titan II Missile exploded in Damascus (Arkansas) and blew its nuclear warhead out management of the silo. It was a day we nearly lost Arkansas (Courtesy: Greg Devlin).

7 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

a specific responsibility. Instead, each apply techniques developed for the sim- designer, manager, and engineer was re- pler and primarily electro-mechanical 1.3 sponsible for the reliability of his particu- systems of the past continue, with only lar component or subsystem. As a result, partial success. KEY PRINCIPLES OF many interface problems went unnoticed until it was too late. Within eighteen The space program was the second RISK-BASED DESIGN months after the fleet of 71 Atlas F mis- major area to apply system safety ap- siles became operational, four blew up proaches in a disciplined way. After the in their silos during operational testing. 1967 Apollo 1 fire that killed three astro- lthough system safety engineering is The missiles also had an extremely low nauts, NASA commissioned the General Aa relatively new and still evolving dis- launch success rate. The air force had Electric Company at Daytona Beach, cipline, some general principles hold for typically blamed most accidents on pi- among others, to develop policies and its various manifestations. lot error, but these new liquid-propellant procedures that became models for ci- missiles had no pilots to blame and yet vilian space flight safety activities. Je- ƒƒ System safety engineering empha- blew up frequently and with devastating rome Lederer was hired to head safety sizes building in safety, not adding results. When these early losses were at NASA. Under his leadership, an exten- protection features to a completed investigated, a large percentage of them sive system safety program was set up design. System safety emphasizes were traced to deficiencies in design, for space projects, much of it patterned the early identification of hazards operations, and management. The im- after the air force and DoD programs. so action can be taken to eliminate portance of treating safety as a system Many of the same engineers and com- or minimize them in early design de- problem became clear and, as a result, panies that had established formal sys- cisions; 70 to 90 percent of the de- systems engineering and system safety tem safety defense programs also were sign decisions that affect safety are (a sub-discipline of systems engineering) involved in space programs, and the made in concept development, re- were developed. systems engineering, and system safety quirements definition, and architec- technology and management activities tural design. The degree to which it is The Minuteman ICBM became the were transferred to this new work. economically feasible to eliminate or first weapon system to have a contrac- tual, formal, disciplined system safety program. At first, few techniques that could be used on these systems existed, but specialized system safety practices Apollo 1 evolved over time. Particular emphasis was placed on hazard analysis tech- Apollo 1 - Fire kills 3 Disaster: niques, such as fault trees, which were Ed White, Roger Chaffee and Gus Grissom die in launch pad fire first developed to cope with complex while inside their Apollo 1 capsule. Fire was a result of 100% pure programs like Minuteman. While these techniques were useful for the technol- oxygen inside capsule, redesigned hatch that opened in instead of ogy of the time, new technologies, par- pushing out, and a short, a spark that ignited the fire. ticularly digital technology and software, have made many of them no longer ap- propriate for the increasingly complex, software-intensive systems we build to- day. Unfortunately, recognition of these limitations has been slow. Attempts to

The space program was the second major area to apply system safety approaches in a disciplined way

8 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

minimize a hazard rather than to con- faulty maintenance, instrumentation trol it depends on the stage in system and control inadequacies, human ac- development at which the hazard is tions, design errors, and poor man- identified and considered. Early in- Safety is an agement decision making. All these tegration of safety considerations factors must be considered. into the development process allows emergent maximum safety with minimum nega- ƒƒ System safety engineering empha- tive impact. The usually more expen- system property sizes analysis in addition to past sive and less effective alternative is to experience and codes of practice. design first, identify the hazards, and Rule-based standards and codes then add on protective equipment to have occurred when the system com- of practice incorporate experience control the hazards when they occur. ponents were all functioning exactly and knowledge about how to reduce as specified. The Mars Polar Lander hazards, usually accumulated over ƒƒ System safety engineering deals with loss is an example. Each component long periods of time from previous systems as a whole rather than with worked as specified but problems mistakes. While the use of such pre- subsystems or components. Safety arose in the interactions between the scriptive standards and learning from is an emergent property of systems, landing leg sensors and the software experience is essential in all aspects not components. One of the principle logic responsible for shutting down of engineering, including safety, the responsibilities of system safety is to the descent engines. Reliability anal- pace of change today does not always evaluate the interfaces between the ysis considers only the possibility of allow for such experience to accumu- system components and determine accidents related to failures. Soft- late. System safety analysis attempts the effects of component interaction. ware, ubiquitous in space systems to anticipate and prevent accidents (The set of components includes hu- today, is an important consideration and near misses before they occur, in mans, machines, and the environ- here. In most software-related acci- addition to learning from the past. ment.) Safety is an emergent system dents, the software operates exactly property. It is not possible to deter- as intended. Focusing on increasing ƒƒ System safety engineering empha- mine whether a spacecraft design is the reliability with which the software sizes qualitative rather than quanti- acceptably safe, for example, by ex- satisfies its requirements will have tative approaches. A system safety amining a single valve. In fact, state- little impact on system safety. Reli- approach identifies hazards as early ments about the “safety of the valve” ability and safety may even conflict. as possible in the design stage and without information about the context Sometimes, in fact, increasing safety then designs to eliminate or control in which it is used are meaningless. can decrease system reliability. Un- those hazards. At these early stages, Conclusions can be reached about der some conditions, for instance, quantitative information usually does the reliability of the valve (defined as shutting down a system may be an not exist. Although such information the probability that the behavior of the appropriate way to prevent a hazard. would be useful in prioritizing hazards, valve will satisfy its specification over That increasing reliability can dimin- subjective judgments about the likeli- time and under given conditions), but ish safety may be a little harder to hood of a hazard are usually adequate safety can only be determined by the see. For example, increasing the re- and all that is available when design relationship between the valve and liability (reducing the failure rate) of decisions must be made. In addition, the other spacecraft components, in a tank by increasing the burst pres- probabilistic risk analyses that ex- the context of the whole. sure–to–working pressure ratio may clude potential causes of an accident, result in worse losses if the tank does including interactions among non-fail- ƒƒ System safety engineering takes a rupture at the higher pressure. Sys- ing components, design errors, soft- larger view of hazard causes than tem safety analyses start from haz- ware and hardware requirements er- just failures. A lack of differentiation ards, not failures and failure rates, rors, and poor management decision between safety and reliability is still and include dysfunctional interac- making, can lead to dangerous com- widespread at major organizations. tions among components and sys- placency and focusing engineering ef- Hazards are not always caused by tem design errors. The events lead- forts only on the accident causes for component failures, and all failures ing to an accident may be a complex which those measures are possible. do not cause hazards. Reliability en- combination of equipment failure, If enough were known about factors gineering concentrates on compo- nent failure as the cause of accidents and a variety of techniques (including redundancy and overdesign) are used System safety analysis attempts to anticipate to minimize them. As early missile sys- tems showed, however, losses may and prevent accidents and near misses before arise from interactions among sys- tem components; serious accidents they occur, in addition to learning from the past

9 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

such as design errors to define a prob- ability for them, then safety would be more effectively enhanced by remov- ing the design error than by measuring it in order to convince someone that it will never cause an accident. HAZARD 1.3.1 Hazard, Mishap & Risk MISHAP

ystem safety is achieved by thorough- Sly exploring systems risks starting with conceptual design and progressing with implementation of architectural and detailed risk mitigation measures as the design evolves and becomes more de- In the development of a system, we equipment or property, or damage to the tailed. The initial top down system risk can distinguish risks with consequences environment. In other words, a mishap is analysis will be progressively and itera- on “safety,” on “mission success,” or on a hazard that became actualized, a tran- tively refined and combined with bottom “development/programmatic”. Here, we sition from hypothesis to fact. up sub-systems and components risk refer solely to safety risks. analyses until compliance with systems There are three kinds of hazards: safety goals is achieved. A hazard is a potential condition that functional hazards, inherent hazards and can cause injury, illness, or death to per- induced hazards. Recognizing the elements of a haz- sonnel; damage to or loss of a system, ard and understanding the relationship equipment or property; or damage to the ƒƒ Functional hazards. A safety-critical between hazard and risk, allows design- environment. Instead, a “mishap” or ac- function is either a ‘must-work’ func- ers to select and implement hazards con- cident is an unplanned event or series of tion or a ‘must-not-work’ function. trols that effectively mitigate the risks. events resulting in death, injury, occu- A must-work-function is an active pational illness, or damage to or loss of function vital for keeping the crew

Example of triple safety critical system: SpaceShipTwo feather mechanism

Rudders Actuated by pilot’s pedals for vehicle yaw control • The feather system consist in the rotation of the tails CTN of the vehicle to create higher aerodynamic drag during Case, Throat Main Valve Bulkhead: and Nozzle Includes slosh baffle/valve/ descent to improve stability and limit deceleration injector igniter components

Elevons Actuated by pilot’s centre stick • The feather system is a safety-critical mechanism. for vehicle pitch and Hybrid Rocket System* roll control It is must-not-work system (1 time) during the Oxidizer Tank Electric Servo Horizontal ascent phase, and must-work (twice) during the Stabilizers TPS For trim control Thermal Protection System 90” - 23 m Windows descent phase Side 17” — 43cm Top 13” — 33cm Crew station 21” — 53cm Entry/Exit Large Cabin door for easy entry and egress on lower • Must not deploy too early, must deploy at descent, Roll Thrusters Feather Mechanism Emergency Egress left side Feather actuation and lock Thrusters must retract before starting the gliding 12 feet - 3.7 m pneumatically operated Nose Skid To control pitch Simple, high friction and yaw of spaceship landing gear in zero gravity

10 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

alive (e.g. life-support system of a Sometimes induced hazards are due A hazard mitigation measure is ei- spacecraft). A must-not-work function to interaction between components, ther hazard elimination or hazard control. is instead a function that if operated between systems, between human A hazard control is any design feature, inadvertently or untimely (e.g. propul- and system or component, or between device, or operational procedure that will sion ignition, or access to a live high- system and environment. Examples reduce the associated risk by lessen- power laser) can kill or injure the crew are collision between space sys- ing the severity of the resulting mishap or cause damages. A function may be tems, decompression of a habitable or lowering the likelihood that a mishap a ‘must-not-work’ function for some volume in space, or entanglement in will occur. Residual risk is the remaining periods of a mission and a ‘must-work rotating parts. risk that exists after all hazard mitigation function’ for remaining time. measures have been implemented or ex- Risk is an expression of the impact hausted in accordance with the applica- ƒƒ Inherent hazards. A system func- and possibility of a mishap in terms of ble safety requirements and the project tion may not be safety-critical yet in- potential severity and probability of oc- risk management process. clude some inherent hazards such as currence. Risk can be assessed quali- high voltages, high temperature, toxic tatively or quantitatively against risk ac- compounds, etc. For example, a mi- ceptance criteria (see table below) crogravity experiment using a metal melting furnace. Inherent hazards ex- Acceptable risk level is not the same 1.3.2 ist in a system due to its basic nature as personal acceptance of risk, but it and function. They can be controlled, refers to risk acceptability by stakehold- Hazard Elements but not eliminated (without changing ers’ community or by society in a broad the basic technology associated with sense. Acceptable risk levels vary from the system). Usually system design is system to system and evolve with time or hazard’s correct identification, de- a trade-off between inherent hazards due to socio-economic changes and Fscription and risk assessment, haz- of different technologies. Examples technological advancement. Implement- ard’s basic elements need to be under- of inherent hazards are contacts haz- ing proven best-practices is a prereq- stood. The concept of hazard triangle ards like sharp edges, stored energy uisite for achieving an acceptable risk is particularly useful when applied to hazards like a gas pressurized tank, level. Best-practices are traditionally inherent hazards (Clifton, 2005). A haz- or chemical hazards like toxic com- established by government regulations ard is comprised of the following three pounds (e.g., ammonia) or flammable and norms, and/or by industrial stan- basic components: hazardous element materials. dards. Without such reference, the term (HE), initiating element (IE), and target safety, or acceptable risk, becomes element (TE). ƒƒ Induced hazards. They exist due to meaningless. In other words, compli- the design or operation of the system. ance with regulations, norms and stan- ƒƒ Hazardous Element (HE): basic haz- They can be putted there by the de- dards represents the safety yardstick of ardous resource such as an energy signer and can generally be removed a system. source. or controlled without disabling the operational capability of the system. ƒƒ Initiating Element (IE): trigger or ini- tiator event that creates the impetus for the hazard. There could be several HAZARD distinct casual factors leading to the CATEGORY CATASTROPHIC CRITICAL MARGINAL initiating element. FREQUENCY ƒƒ Target Element (TE): person, prop- FREQUENT erty or environment that are vulnera- UNACCEPTABLE UNACCEPTABLE UNACCEPTABLE (X > 10-1) ble to injury, damage, or degradation. They can be affected separately or not PROBABLE UNACCEPTABLE UNACCEPTABLE HIGH under different circumstances. (10-1 > X > 10-2)

OCCASIONAL Examining the constituent element UNACCEPTABLE HIGH HIGH (10-2 > X > 10-3) of a hazard helps ensuring that the haz- ard description is complete and correct, REMOTE HIGH HIGH LOW which is a key starting step of any hazard (10-3 > X > 10-6) analysis.

IMPROBABLE LOW LOW LOW When a hazard is actualized it is (10-6 > X) the effect on the TE or outcome (injury, Hazard Risk Assessment Matrix. death, damage, destruction, contamination)

11 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Astronaut could be electrocuted by touching exposed contacts in electrical panel with high voltage

Astronaut could be electrocuted TE OUTCOME

by touching exposed contacts IE CASUAL FACTORS in electrical panel with high voltage HE

Example of hazard description and of its constituent elements.

that defines the severity of the mishap. All ƒƒ Hazards may lead to mishaps A hazard is a three sides of the triangle are essential and ƒƒ Hazards are into a system or induced required for a hazard to exist. by its design and operations deterministic entity ƒƒ Hazards are recognizable by their components elements (triangle) (it is there or not), ƒƒ Hazard causes are predictable and controllable while relevant mishaps 1.3.3 ƒƒ A design flaw can be a hazard cause are probabilistic Hazard theory and A hazard is a deterministic entity (it is there or not), while relevant mishaps risk probability are probabilistic. A hazard exists when Hazards checklists and basic hazard all three hazard components are present. groups are used for helping in the haz- Mishap probability is the probability that ard identification process. Hazards can he key principle of hazards theory is IE actuates when HE and TE are present. be identified from a variety of sources Tthat mishaps can be predicted via Reduce the probability of the IE and the such as: hazard identification, and prevented via mishap probability is reduced. Mishap hazard elimination or control: severity is dictated by TE being present. ƒƒ general knowledge of system energy Reduce the HE or TE and the mishap se- sources experience gained from verity will be reduced. previous space projects ƒƒ hazards grouping or checklists used in other fields Mishaps can be ƒƒ detailed analysis of design for components failure modes predicted via hazard 1.3.4 ƒƒ detailed analysis of operations for potential human errors identification, and Hazard identification ƒƒ known or pre-established undesired outcomes or mishaps and following prevented via hazard backward to hazards azard identification is a prerequisite ƒƒ review and analysis of good design elimination or control Hfor hazard elimination and control. practices

12 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

ƒƒ use of key state questions (what must the system always do, what it must 1.3.6 1.3.7 never do). Hazard elimination Hazard design and limitation controls 1.3.5 Hazard reduction azards oftentimes can be eliminated n the development of a system, safety Hby the proper selection of a design Iis designed-in through a combination of order of precedence solution. For example, the choice of a hazard controls and relevant verifications nominal air atmosphere for a spacecraft that are identified by hazard analysis. instead of one of enhanced or pure oxy- ctions to eliminate hazards or control gen greatly diminishes the risk of fire. Athe risk are undertaken during the As another example, designing a pres- Barriers, inhibits and interlocks design in the following order of prece- sure vessel to leak-before-burst avoids dence: the potentially violent rupture and frag- Barriers, sometimes called inhibits mentation that can cause additional for certain applications, are a means for a) eliminate the hazard damage, disable redundant systems, or physically isolating a hazard. A barrier b) develop design solutions and/or injure a crewmember. Often, however, can be a physical interruption between use safety devices a hazard cannot be eliminated without an energy source and some function, a c) provide detection and warning/ concomitant loss of some major system means of separating incompatible mate- caution means functionality. Still, the level of a hazard rials, or for isolating materials that when d) develop special procedures and can be limited by proper selection of mixed would constitute a hazard (Mus- training (including personnel design parameters. For electric power grave, Larsen, Sgobba 2009). protective equipment) distribution efficiency, a high voltage system can be selected. However, if the Shields used to protect a spacecraft A lesser degree of desirability exists power distribution system is designed from meteoroids and orbital debris are for each succeeding method. so that the power is converted locally safety barriers. They perform an energy to provide low voltage at most electric absorption function, thus preventing im- outlets utilized by the crew, the risk of pact damage to the vehicle and its sys- electric shock is limited. tems. This is similar to the concept of structural containment, which is used as a means of protection for rotating items. Other examples of barriers are the use of relays between a battery and a pyrotech- VERIFICATION nic initiator, and a latch valve installed HAZARD CONTROL VERIFICATION between a propellant tank and thrusters. VERIFICATION It is important to realize, however, that CAUSE CONTROL VERIFICATION commands, personnel, computers and VERIFICATION software, panel switches, and proce- CONTROL dures are not inhibits, and should not be VERIFICATION considered as such in any design.

CONTROL CAUSE CONTROL “ In the case of fire, combustion re-

HAZARD quires the presence of a fuel, an oxidizer, CONTROL “ and an ignition source. Isolating any one

CONTROL of the three from the other would effec- “ tively prevent a fire. The use of a slightly CAUSE CONTROL pressurized inert gas, such as nitrogen, in CONTROL leak tight fuel container represents an ef- fective barrier to prevent air from coming HAZARD into contact with the combustible fuel.

Some materials and compounds pos- sess harmful characteristics such as tox- Hazard Analysis sequence from hazard identification and hazard causes determination to hazard controls icity or radioactivity. In such cases, barri- (design controls and/or operational controls) and relevant verifications. ers selected during design can be in the

13 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

dancies. In all other cases, single-point- Fail-safe Design failures can be mitigated by introducing parts, components, or equipment redun- dancies locally. • Fail-passive: The equipment is automatically de-energized, A redundancy is called hot (active) and ceases operation until corrective actions are taken. when redundant elements nominally are Fuses and circuit breakers are typical fail passive devices fully energized, and it is not necessary to switch in the redundant element or • Fail-active: The equipment remains energized. The design switch out the failed one. Conversely, a includes standby redundancy that maintains the system in a redundancy is referred to as cold (stand- safe mode until corrective action is taken. Redundant fastener by) when secondary or tertiary redundant elements are non-operative until they arrangements in structures are examples of fail active design are intentionally switched into operation • Fail-operational: The failure causes the equipment to revert upon failure of a primary element. to a mode that allows continued operation in a safe manner; An important general principle is that however, functionalities that would otherwise present an unsafe all redundancies (as well as inhibits and situation could be lost. barriers) included within a design must be verifiable. It is essential that redundan- cies are independent, in the sense that no single credible failure, event, or environ- ment can eliminate more than one. form of containers (isolating the material), operation, some system functionality can or as masks and other protective gear be lost. Nevertheless, the primary intent is Redundancies are used for safety and equipment (isolating the crew). In a to prevent harm to people, and secondly and also to enhance mission success. It microgravity environment, metallic chips to prevent further system damage. is generally accepted that by implement- and glass fragments are potentially harm- ing a number of independent safety re- ful if inhaled. In such cases, barriers can There are three fail-safe design ap- dundancies as a protection against the take the shape of filters with adequately proaches, fail-passive, fail-active, and possible consequences of a failure, i.e., fine meshes. Additionally, metallic debris fail-operational. The option selected is whether they are catastrophic or criti- can cause shorts in avionics equipment, determined by the specific purpose and cal, the overall risk associated with op- or become lodged in critical mechanisms. functionality of the system: erating the system becomes acceptable The barriers applied in this situation are because the event probability becomes comprised of layers of conformal coat- Sometimes the term, fail-safe, is used more remote. ings over electronic circuitry, or guards as a synonym for redundancy, although and enclosures placed over mechanisms. in general these are different concepts. A fail-safe design does not maintain or Design for minimum risk Sometimes barriers are intended to ensure safety by enhancing system reli- be temporary, such as the use of inter- ability. A fail-safe design, indeed, can be Design hazard controls, other than locks to prevent inadvertent access or unreliable, and yet ensure safety. those utilizing redundancies and barri- exposure when a hazard source is pres- ers, meant to avoid failure fall collectively ent. An interlock can be used to prevent within a category called design for mini- access to an energized laser, rotating Redundancies mum risk. These requirements rely upon equipment, or high temperature surfaces safety factors and safety margins estab- by locking covers or access doors while Redundancies can be established at lished by analysis and test, past experi- power is applied. As well, interlocks can any product-tree level, including com- ence, and international safety standards function by automatically removing the ponents and system functional level. to ensure an established level of accept- hazard source, e.g., power to a laser Single-point-failures can be removed lo- able risk. Cases in which design for mini- when a protective cover (another barrier) cally by implementing redundant parts, mum risk is appropriate for use include is removed. items or equipment, or more than one structures, pressure vessels, pyrotech- distinct, sometimes dissimilar, complete nic devices, flammability, and design for hardware/software functional chain is electromagnetic compatibility. Fail-safe design implemented for accomplishing a sys- tem function. The concept of design for mini- The purpose of fail-safe design, basi- mum risk is probably the earliest design cally, is to place a system in safe mode fol- As general rule, “must-work” func- method used to minimize failure prob- lowing some failure. In this safe mode of tions require system functional redun- ability. It typically results in overdesign to

14 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

account for various uncertainties en- countered such as environmental con- if CABIN FIRE: ditions, analyses and test methods, 10. CAB FAN A,B (two) – OFF (max 20 min) materials variability, and manufacturing 11. Locate source (see matrix, facing page) processes variances. For the engineer, 12. Unpwr source of smoke overdesign essentially is a way for dis- If smoke persists or source cannot be unpwrd: tancing the statistical distributions for cumulative stress and strength curves that are not known with requisite preci- WARNING sion, thus preventing them from overlap- Discharge is propulsive ping. Safety factors and safety margins change and are refined as our knowl- 13. Discharge handheld FIRE EXTGHR edge in pertinent areas advances. If Ascent: 14. Post MECO, go to POST-FIRE CABIN CLEANUP (ASC The equivalent concept in electronic PKT, ECLS) >> design is sometimes called fault avoid- If Entry and prior to TIG: ance. It consists in reducing the possibil- ity of a system failure by increasing the 15. Go to ECLS FRP-3, FIRE/HAZ SPILL O2 CONTROL, step | reliability of individual items through the 3 (MAL) use of electrical design margins, derat- ing criteria, high reliability components, Shuttle cabin fire-fighting flight procedure. application of workmanship standards, et cetera. Crew procedures, also called flight operation. The proposed control would procedures, are the primary method be evaluated by safety, engineering and used for an operational control. Gen- operations experts and if agreed a Flight erally, procedures and checklists are Rule would be issued by the Flight Con- 1.3.8 meant as memory aids to help the crew trol Team to ensure that the crew will be avoiding errors such as missing a step of instructed to power off the transmitter Hazard operational a task or altering its sequence. When a prior to proximity operations. Mission procedure includes an operational haz- planners would ensure that the crew’s controls ard control, it will specify: plan contains these activities explicitly when required (Barriero, 2010). Over the 1. What the procedures is for course of several missions, the specific n operations hazard control (e.g. the 2. When it must be performed details of the constraint may change like Aaction of removing power, or perform- 3. What are the step-by-step actions the number of transmitters to be turned ing an inspection, etc.) can be defined as 4. What is the correct sequence of ac- off, or the specific operations that require the control of a hazard by crew real-time tions transmitter turned off. action either on the basis of procedures, 5. Warning note of hazard or through the implementation of a pre- 6. Description of hazard control action planned decision by the flight control (if not obvious) team, so-called flight rules. Sometimes, 7. Expected feedback and/or accept/ special crew training is used as opera- reject criteria (if applicable) 1.3.9 tional hazard control too. Operational hazard controls should be allowed only Flight rules are the secondary meth- Safety technical when an alternate means of reduction or od used for implementing operation haz- control of a hazard by design is not avail- ard control. They are also used to guide requirements able. Criteria for evaluating operational reactions to unexpected events. Flight hazard controls are: rules are normally used for items that and criteria cannot be contained in a nominal crew ƒƒ It can be accomplished by the crew procedure. For example, suppose that a ƒƒ There is sufficient time available for hazard is identified that a payload trans- afety requirements and criteria are performing it mitter on a space station would interfere Sused to inform the designer about the ƒƒ There is sufficient telemetry available with the docking system of a visiting ve- acceptable level of risk control that the to monitor its execution hicle in its proximity. The developer may system must achieve. Safety require- ƒƒ It does not create new hazards. identify an operational hazard control ments and criteria can be grouped under consisting in switching off the transmitter two broad categories of Failure Toler- at a certain time during the rendezvous ance, and Failure Avoidance. In addition,

15 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

certain contingency response capabili- ties, for example for allowing escape, are included.

Failure-Tolerance criteria refer to SAFETY MANAGEMENT the ability of the system to maintains through the designed-in characteristics prescribed functions or services to users despite the existence of failures or faults. Fault-Avoidance, used when Failure tol- erance is not doable, consists instead in reducing the probability of a failure or fault Policy & Safety Risk Safety Safety by increasing the reliability of individual items (design margins such as factor of Objectives Management Assurance Promotion safety, designing to worst case scenarios, materials selection, use of hi-reliability components, de-rating, quality control, testing, etc.). Fault avoidance is generally achieved through the use of proven best practices for the design of subsystems. collected in a single safety standard that addresses the following topics: 1.4 A system is made safe by imple- menting hazard controls (i.e. redundan- ƒƒ Hazard severity categories SAFETY cies, barriers, safety factors, etc.) and (catastrophic, critical, marginal) capabilities to prevent, tolerate, and miti- MANAGEMENT gate hardware failures, software faults, ƒƒ Failure Tolerance requirements and human errors. Differently from evolu- (driven by hazard severity categories) SYSTEM tionary industries like aviation and ship- (must-work/must-not-work safety- building, in space projects those safety critical functions, commands, etc.) features are not prescribed by detailed he Safety Management System (SMS) safety codes or regulations but left to be ƒƒ Failure Avoidance Tis the systematic approach to manag- selected and developed by the designer (i.e. Design-for-Minimum-Risk) ing safety, including the necessary or- through hazard analysis in compliance (structures, materials, avionics/EEE, ganizational structures, accountabilities, with the prescribe level of risk control. mechanisms, RF emission etc.) policies and procedures. The resulting design and operational solutions (hazard controls) are relevant ƒƒ Environment and Habitability verification methods are then carefully (noise, life-support system, thermal validated for compliance with safety re- hazards, sharp edges, etc.) quirements and criteria by an indepen- 1.4.1 dent multi-disciplinary panel of experts. ƒƒ System Capabilities (hazard detection/annunciation/ Organizational Typically, safety requirements and safing, abort/escape, fire detection, criteria for a space program (i.e. in- etc.) requirements cluding a large variety of systems from a coffee machine to a robotic arm) are ƒƒ Safety Analysis/Certification Process he top management of a system de- Tveloper and/or operator must dem- onstrate leadership and commitment to the development, implementation, main- tenance and continual improvement of Safety requirements and criteria the Safety Management System. The top executive must retain ultimate re- are used to inform the designer sponsibility for the performance of the safety activities and must have ultimate about the acceptable level of risk control over the financial and human resources required for the safety activi- control that the system must achieve ties. The top executive must designate sufficient safety management personnel

16 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

c) safety requirements and criteria The top executive must retain ultimate applicable to a specific hazard; d) possible causes of each hazard; responsibility for the performance e) description of how hazard causes are controlled (i.e. eliminated or of the safety activities and must have mitigated); f) description of relevant verification ultimate control over the financial plans, procedures and methods for each control. and human resources Risk Management and Acceptance who, on his/her behalf, are responsible starting with the conceptual design for coordinating implementation, main- phase. Must analyze the systems func- Intrinsic in the concept of a standard tenance, and integration of the Safety tions, in the worst environment condi- is that compliance must be assessed and Management System and regularly re- tions and with reference to the opera- enforced, otherwise the requirements port to the top executive on the per- tional scenario, to assess their safety become simply a set of guidelines. Moni- formance of the SMS and on any need criticality. The functional system analysis toring and enforcement can be done by for improvement. and other detailed analysis must be used any party to which such authority be- to identify hazards, and in developing longs or is assigned. Such organization The responsibilities, accountabilities and implementing risk controls. must have the following three key pre- and authorities of staff having a role that requisites: authority, competence, and affects safety (including management The key concept applied in space independence (from the specific project and other staff involved in safety-relat- programs is that the safety authority sets or program). ed tasks) must be defined at all levels safety policies, while the program estab- within organizations involved in system lishes relevant safety requirements and The safety review process consists development and operation, document- criteria and develops the most appropri- in the independent verification that a sys- ed, assigned and communicated. The ate design solutions and verifications. In tem has been designed in compliance staff with delegated responsibilities for other words, the safety authority defines with applicable safety requirements, that safety related tasks shall have the au- where the limit lies between “safe” and hazard controls have been duly imple- thority, competence and appropriate “unsafe”, but it is the developer, having mented during manufacturing, integra- resources to perform their tasks without the best knowledge of system design and tion and operations preparation, and that being adversely affected by the activities operations, who defines the design safety hazard controls verification were carried of other business functions. Delegation features and operational procedures. out successfully. Requirements on type, of responsibility for safety-related tasks content and submission schedule of shall be documented and communi- Because of the generic nature of safety data to be review, are established cated to the relevant staff, accepted safety requirements, the design solu- by the safety authority. and understood. tions need to be validated by the devel- oper through an analytical process using During the safety reviews process, techniques like hazard analysis, Fault- safety data are examined by the safety Three Analysis, etc. and checked trough review panel, sometimes called safety an independent peer-review. review board, which is a multidisciplinary 1.4.2 team of independent representatives from different technical and functional ar- Identifying, Safety Data eas providing a spectrum of knowledge on system safety. The safety panel is documenting, The resulting detailed safety de- typically composed of experts in various sign and verification requirements (i.e. fields of engineering and science such and validating hazards controls and relevant analyses, as structures, software, mechanisms, tests, inspections, demonstrations, will materials, electrical and power subsys- system hazards be documented and tracked in a safety tems, toxicology, biology, medicine, and data package (sometimes called safety- of representatives from organizations case) that usually includes: such as flight and ground operations, in- he system developer/operator must tegration, and astronaut office. Members Tdevelop and maintain a process to a) summary description of the system, of the safety review panel have individual iteratively identify system hazards as and operational environment; responsibilities to provide the consoli- integral part of the system design, de- b) identified hazards in the system dated assessment of their specialist or- velopment, and operational processes, and their severity; ganizations, and collective responsibility

17 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

levels of integration of instruments, re- Intrinsic in the concept of a standard is search facilities and equipment. Finally, an integrated safety review cycle follows that compliance must be assessed and at level of overall space station on-orbit configuration. Similarly, for the trans- enforced, otherwise the requirements portation of each module by Shuttle, an integrated safety review cycle was car- become simply a set of guidelines ried for Shuttle in transport configuration with the integrated module in transport configuration, and other payloads in to support discussion and coordination approved operational hazard controls the cargo bay, as shown in the figure of all review findings and recommenda- are presented for review, together with here below. tions. Panel members advise panel chair hazard controls verification plans and (or co-chairs), who holds delegated de- procedures. Finally, at phase III safety Because new instruments and cisional responsibility. Upon successful review, the results of safety verification equipment are continuously sent to ISS completion of a safety reviews cycle, the activities are presented. and other are returned or disposed, ev- chair(s) will issue a formal statement of ery time the configuration of the space safety system compliance. Safety reviews are carried out not station changes, in particular in conjunc- only in phase with system design and tion with departure and arrival of trans- Safety reviews are carried out incre- development, but also at several levels port vehicles, a new cycle of integrated mentally in phase with design and devel- of integration with other systems, de- safety reviews is carried out. opment activities. For such reason, they pending on complexity. Take for example are called phased safety reviews. Safety the international Space Station habit- In the following chapter we will reviews are often identified sequentially able units called modules. Each module see how safety standards emerged at with 0, and Roman numerals I, II, III. reached orbit separately on-board Shut- NASA in response to specific needs of Safety reviews are carried out either im- tle or Russian rockets to be integrated the Shuttle Programs and International mediately before or after project reviews, on-orbit. Each module accommodates Space Station Program. We will see how depending on considerations of potential various kind of scientific instruments, re- goal-oriented safety requirements and impact on design if some hazard controls search facilities, and system equipment, criteria have emerged and evolved from are changed, rejected, or modified. which are developed by different orga- early concepts of human rating, and how nizations and according with different they are documented. We will see also Phase 0 Safety Review is held during timelines. Each ISS module had its own the relationship between safety stan- the conceptual phase of design. Phase I cycle of system safety reviews, followed dards and technical standards and how follows at the time of project Preliminary by integrated safety reviews at various they are used in combination. Design Review (PDR). Then Phase II at the time of project Critical Design Review (CDR), and finally phase III at completion of successful verification of hazard con- trols implementation. Integrated STS (Shuttle) Safety data are the input to safety (Launch No. x) reviews. They consist of hazard reports ICHA and supporting data, becoming more NASA/Boeing and more detailed as project design and development activities progress. Integrated Cargo Integrated Element At Phase 0, safety data are limited Carrier (ICC) Middeck Items COLUMBUS Launch to the identification of hazards and ap- (Transport Config) ESA PSRP = O/I, II, III Config. plicable safety requirements. At Phase I, NASA Responsible NASA SRP = III due to design evolution since the con- ceptual phase, new hazard reports may be presented for review while others Integrated CEPA Integrated CEPA may be cancelled. The Phase I hazard No. 1 No. ... reports will document all hazard causes External Facility External Facility ESA PSRP = O/I, ESA PSRP = O/I, while design and operational hazard II, III II, III controls are presented in a preliminary form. At phase II safety review, all de- tails on design hazards controls and Shuttle Integrated Safety Review Process - European Payloads Transported in Cargo Bay and Middeck Lockers.

18 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Chapter 2 EVOLUTION OF SYSTEM SAFETY AT NASA

2.1 The key idea was to lower the risk of loss HUMAN RATING of crew (LOC) caused by launch vehicle malfunctions by providing abort capability he early NASA approach to human Tspaceflight safety (called man-rating at the time) consisted on adapting mili- ground and flight tests at components, tary rockets for crewed missions. The subsystems and system level to identify driving considerations were: changes and modifications to improve system reliability. ƒƒ Safety during launch Dr. Maxime A. Faget Launch escape system Space systems human rating con- ƒƒ Satisfactory operation within human- inventor. cepts have evolved from the narrow factors tolerances scope of adapting existing rockets for human spaceflight use, to the current en- ƒƒ Adequate performance margins for vehicle malfunctions by providing abort compassing human-centered approach mission reliability capability, so-called emergency or launch of designing the system to ensure human escape system, from the time of astro- protection, to account for human limita- The key idea was to lower the risk naut boarding through capsule separa- tions, capabilities and performance, and of loss of crew (LOC) caused by launch tion. In addition, performing extensive to accommodate human needs.

Antenna Fairing

4 • Sense Tower Separation Through Electrical Disconnect • Start Rate Damping Retrograde Package Retention Straps • After 3 Seconds Eject Antenna Fairing

Rate Damping and Constant Roll 2 Control (Rate Gyros) Sense Capsule Adapter Separation 3 Capsule Tower Separation Jettison Retro-Package and Retro-Package Timer Runs Out Retention Straps Fire Tower Separation Bolts Sense Tower Ring Separation Fire Tower Jettison Rocket 5 • Deploy Main Chute • Rate Damping Ceases For Aborts after Liftoff around 125 Feet Separation upon Deployment of Main Distance will be Achived within 1 Second after Initiation of Chute Escape Rocket Firing 1 Upon Receipt of Abort Signal Cutoff Vehicle Engine (Signal Stored until Liftoff + 30 Seconds) Fire Capsule - Adapter Ring Bolts Sense Capsule - Adapter Ring Separation Fire Escape Rocket

Mercury-Atlas Launch Escape System (NASA).

19 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

command to terminate the flight to avoid First suborbital human spaceflight almost 60 years ago risk on ground, and to test the system. Years later, in 1983, Russian activated a Soyuz LES by manual radio command from ground while the rocket was still on In 1961, Alan Sheppard on a the launch pad. A fire had engulfed the suborbital flight reached187 km of base of the rocket burning the LES com- altitude on board the first Mercury. mand cables used by crew and ground. A capsule on top a man-rated The capsule was successfully separated Redstone 3 rocket. before the Soyuz rocket exploded.

The NASA Gemini program used manual abort command, which proved In 1963, NASA test pilot Joseph its value on Gemini VI mission when the Walker reached an altitude of 108 km engines ignited, but after about 1.5 sec- in an X-15 aircraft, and returned to onds of operation, they abruptly shut the runaway from which he took off down. Mission rules dictated immediate (attached to a B-52 mother ship). activation of the ejection seats. However, Schirra, the commander, did not feel any movement and knew that the launcher hadn’t lifted, so he decided to not abort, thus saving the mission. In 1963, Russians, which had pre- 2.1.1 viously used ejection seats on Vostok, Nowadays. Chinese Shenzhou, and developed a similar ‘tractor’ tower es- NASA Orion both use a tractor rocket Launch abort system cape system for Soyuz. Curiously, at the powered configuration for LES, which is same time NASA went the other way by jettisoned during flight, instead SpaceX developing ejection seats for Gemini- Dragon commercial crew transportation In 1958, Maxime Faget developed Titan II that included a special feature vehicle uses a liquid fueled ‘pusher’ at NASA the concept of safely aborting called rocket catapult (ROCAT) to propel launch abort system integrated into the flight using a dedicated rocket to remove the seats to a safe distance (Ray, Burns capsule. Boeing uses a similar pusher the capsule from the launch vehicle. 1967). The following NASA Apollo pro- abort system on its commercial CST-100 The most challenging failure scenario, gram to land man on the Moon went capsule. which ultimately determines the design back to a launch escape system based of a launch abort system, is the explo- on Faget tractor configuration. sion of the rocket right on the launch pad. Generally, in such situation, ejection An important choice in designing seats cannot guarantee to reach almost an abort system is between automatic 2.1.2 instantaneously a safe distance from and manual control. For Mercury, an exploding rocket fireball and shrapnels. automatic abort sensing and separa- Early programs The configuration Faget conceived used tion system was selected since some a tower on the top of the crew capsule to emergency conditions could develop too house solid propellant rockets. Sensors rapidly to permit manual activation of the n early space programs, system safety would detect potentially catastrophic abort command. The automatic system Iwas essentially considered to coincide launch vehicle malfunctions, terminate would relieve the astronaut, whose per- with system reliability, plus abort capa- the flight by shutdown of propulsion, and formance under flight loads was not well bility. Some hazards mitigations were in- quickly separate the capsule to a safe established at the time, from the require- troduced sporadically on an opportunis- distance from the rocket. ment to monitor and sense all emergen- tic basis. For example, the toxic Hydine cy situations. However manual activation (60 percent UDMH, 40 percent diethyl- NASA Mercury was the first human from ground, and by crew on-pad (from ene triamine) used on military Redstone, spaceflight program of the United States, umbilical drop until ignition), was also was replaced by alcohol, because it was running from 1958 through 1963. Mercu- possible. unsafe for the astronaut in the event of a ry was the first to use a launch escape prelaunch emergency egress. system (LES) on two different military In April 1961, during an unmanned rockets modified for human spaceflight: Mercury flight test, the rocket guidance The low reliability of military rockets Redstone for the early suborbital flights, system failed. The range safety officer was acceptable for their original mission and Atlas D for orbital flights. activated the capsule launch escape but totally inadequate for crewed space- system from ground by manual radio flight. Although low, military rockets

20 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

reliability was proven, being the result number of tests, and finally bottom-up Being understood that methods to of on-going maturation through actual verification using mathematical mod- quantitatively assess the reliability of the operations. Before Mercury manned els to assess the achieved reliability at design where not precise enough, due missions, Redstone rockets had been subsystem and system level. Instead, to the limited amount of data, numerical already launched 37 times and Atlas the engineering judgement approach values were considered as guidance to rockets 100 times. Furthermore, many emphasized, in the words of Von Braun, judge the adequacy of the design and components were originally designed to “an almost religious vigilance and atten- not as true measure of system reliability. mission parameters exceeding those re- tion to detail on the part of every member Quantitative analyses were relegated to quired for manned missions. Therefore, of the development team”. Meticulous initial trade-off studies during the con- programs were reluctant to introduce search for errors in design, “testing to ceptual design phases of hardware de- design changes, unless mandated by failure” to expose hidden flaws, effec- velopment. mission needs, due to concern of inad- tive corrective actions system, and strict vertently degrading the rocket reliability quality control. The synthesis of the two Removal of single point failures instead of improving it. Redundancies approaches consisted in the use of a (SPF), as far as feasible, through the where mainly used on the new abort sys- combination of quantitative and qualita- implementation of redundancies and tem in order to overcome the potential tive reliability analyses (e.g. failure modes inhibits was the main reliability require- problems of false abort signal (mission and effects analysis, criticality analysis), ment driving the Apollo program design loss) or undetected actual abort condi- use of failure avoidance techniques (sim- activities. The redundancy philosophy tions (loss of crew). For the rest, the pillar plicity, derating, large safety factors, use of Saturn V rocket consisted essentially of the reliability program was a massive of approved parts, etc.), implementation into “engine-out capability” for the first campaign of subsystems and compo- of redundancies, and finally performance stage, plus redundancies for the guid- nents environmental tests to validate of extensive design reviews and qualifi- ance system (triple modular redundan- existing design and changes, with mar- cation and acceptance testing at all lev- cy), flight termination system, and abort gins added to operational environment. els (Sperber, 1973). system sensors (NASA, 1968). More ex- A stricter quality assurance program was tensive use of redundancies was made putted in place to prevent human errors on the Apollo spacecraft modules. during manufacturing, integration and operations going undetected. Awareness that safety could not be achieved solely by combination of abort Starting with the Apollo program system and reliability program dramati- the term “man-rating” took a different cally emerged with the Apollo 1 fire that meaning. No longer referring to the ad- killed three astronauts during ground aptation of existing unmanned rockets, testing at Kennedy Space in January but to indicate that a system (rocket and 1967. Within few months, an Apollo sys- capsule) had been developed for crewed tem safety program was mandated by missions. Until Apollo 1 ground fire ac- NASA Headquarters requiring to perform cident, the two tenets of the man-rating formal hazard analyses of system, and approach remained, the use of abort ground and flight operations. The activi- system and reliability program. ties started with the compilation of a list of “potential accidents” from the time The Apollo reliability program was the astronauts entered the launch pad based on different considerations with until splashdown and recovery of the reference to previous NASA programs. capsule. The “potential accidents” were No longer about improving reliability, but prioritized based on program experience, on designing reliability into a new sys- mission phases criticality, and expecta- tem. The approach adopted by NASA tions of likelihood of occurrence. Besides was a smart synthesis of two compet- hazards analyses, several safety studies ing approaches, statistical techniques were undertaken on flammability testing, and engineering judgement respectively. which had been at the center of a heated debate. The statistical approach rested on the concept of building system reli- Within few months, an Apollo system safety ability through an iterative process that started with top-down apportionment of program was mandated by NASA Headquarters system reliability quantitative target to subsystems and components, followed requiring to perform formal hazard analyses by determination of failure rates at com- ponents level by statistically significant of system, and ground and flight operations

21 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

selection of materials, prevention of dam- ages to electrical wiring, fire suppression etc. Even the paper chosen for on board procedures, handbooks, and manuals was of a special one difficult to burn.

The Apollo accident happened around the time when techniques for human error prevention and control had become commonplace in aviation and had started to be applied extensively to consumer goods too. After 1965, con- sumer goods manufacturer’s liability was no longer limited to the case of a product that was “unsafe for its intended use,” but included the case of a product “un- safe for an unintended but foreseeable misuse”.

Safety analyses conducted after the Apollo accident included consider- ation of the human element limitations and capabilities. The handbook Boeing prepared for NASA on the execution of safety analyses stated as follows:

“A study of man-machine relation- The Hubble Telescope was one of the most notorious Shuttle payloads. ships complements system safety by providing additional emphasize on hu- man error analysis and error reduc- lites like Hubble telescope, Galileo and tion. These are critical considerations 2.1.3 Ulysses, plus rocket upper stages, or in determining potential system modes habitable modules like SpaceLab and that can result in hazardous conditions. Shuttle payloads SpaceHab. Smaller payloads, research Identification and analysis of the over- facilities and experiments would be ac- all hazardous consequences of a given and ISS commodated in lockers in the pressur- failure event require an understanding ized crew compartment or in dedicated of human capabilities and limitations as canisters called Get Away Special (GAS) well as the interfaces between subsys- he NASA Shuttle program, officially externally in the cargo bay. For such tems, systems, and environments. Man- Tknown as National Space Transpor- reason, the safety requirements had to machine relationship to be effective must tation System (NSTS), was announced be encompassing but generic and per- be integrated with system safety to pro- by President Nixon on January 5, 1972. formance oriented. vide a logical and consistent continuum The Shuttle was considered at the time throughout the lifespan of an aerospace the reusable launch system of the future, Shuttle payloads preparatory ac- system” (NASA, 1969). promising to revolutionize launch avail- tivities started with work on safety and ability and costs. interface requirements, payload integra- Main safety requirements and risk tion process, and implementation guide- mitigation best practices later used All kind of users were expected, from lines. The work included preparation of on Skylab and Shuttle programs were government agencies to commercial so-called interpretation letters (because traceable to the Apollo post-fire safety customers and other NASA programs. of their letter format) meant to be ad- program. Skylab, for example, was the visory. With safety requirements being first U.S. program to transition to a two As Shuttle development was pro- mainly generic and goal oriented, there gases atmosphere instead of pure oxy- gressing, NASA started to work on pay- was the need to help Shuttle custom- gen, which was studied in the aftermath load accommodation, interfaces, and ers understand purpose and rationale of Apollo 1 fire but not implemented due safety requirements. A wide variety of some requirements, and to advise to major design impact. of payloads were expected including them on possible design solutions that many that had never been flown before could be acceptable, but without impos- in space. The Shuttle cargo bay was ing them. Verification requirements (i.e. sized to accommodate entire satel- analyses and/or tests, inspections, and

22 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

In establishing payloads safety re- injury, or an occupational illness. Loss of Potential catastrophic quirements, the Shuttle program decided major flight elements or ground facilities to take some “comfort margin” or in other can also be classified as catastrophic. hazards required words to be more conservative than was Critical consequences were defined as the case for the Shuttle systems. This was those causing temporary disabling in- two-fault-tolerance, not meant to be a penalty but the price to jury or occupational illness, use of con- be paid for allowing design freedom to tingency or emergency procedures, or while critical payloads developers. For example, for damage to equipment. Shuttle systems, rigorous requirements hazard required were applied on procurement, selection The required fault-tolerance level de- and testing of EEE components, on soft- pended on safety criticality of payloads single-fault-tolerance ware development, on quality control, function, and on severity of hazards. In and on configuration management, but general, payloads do not have ‘must- payload developers could use whatever work-function’, (i.e. active functions vital EEE components they considered suit- for keeping the crew alive) but often in- demonstrations) were also defined as able, their own software development clude ‘must-not-work functions’, which well as guidance for the preparation of methods, etc. In the case of small enter- are functions that if operated inadver- payloads verification plans. prises or universities, it was even expect- tently or untimely (e.g. access to a live ed that they could lack familiarity with ba- high-power laser) can kill or injury the For customers’ benefit, the Shuttle sics of quality control and configuration crew, or cause damages. Payloads may program created also documents de- management. Overall, it was a matter of include some inherent hazards such as scribing available payloads accommo- trading reliability for cost. Payloads fail- high voltages, high temperature, toxic dations for electrical power, cooling, or ures were deemed acceptable as long as compounds, etc. safety inhibits like switches and valves they did not affect safety. that could be made available (upon ne- An important concept was to assume gotiation) on the Orbiter side to help The classification of ‘hazard sever- that payload software was zero-fault-tol- meet some safety requirements levied ity’ was used to drive the amount of fault erant thus counting it as providing only on payloads. Whole series of techni- tolerance required for Shuttle payloads. one level of hazard control. All additional cal standards, support standards, and Potential catastrophic hazards required controls had to be hardwired, unless handbooks were developed to help cus- two-fault-tolerance, while critical hazard payload developer opted to apply the tomer design and verify their systems required single-fault-tolerance. A critical same strict software development and and to plan operations. Those stan- hazard was defined as potentially result- independent verification and validation dards covered structures, mechanical ing in injury to the crew or impairment to processes required for Shuttle systems systems, batteries, pyros, wiring, safe the vehicle or the mission. A catastrophic software. In other words, the possibility distances for firing payloads propulsion hazard could lead instead to loss of life, a to achieve two-fault tolerance (i.e. triple system, etc. life threatening or permanently disabling controls) by computer only was basically

The following fault-tolerance levels were levied on Shuttle payloads

• Safety critical system had to be two-failure tolerant. • No combination of two failures or operator error This criterion applied to “must work” systems. could result in catastrophic consequence. • Inadvertent operation of safety critical system • No single failure or operator error could have critical functions had to be controlled by a minimum of consequence. three inhibits. One of these inhibits had to preclude any operation by an RF command. The ground return for the circuit of the safety critical function had to possess the capability to be interrupted by one of NOTE: In this report the terms 'fault-tolerance' and the three inhibits. As well, at least two of the three 'failure-tolerance' are used interchangeably. One refers to inhibits had to be monitored. an event (failure), the other to a status (fault),

23 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

discouraged. (The Shuttle system relied Following the Shuttle Challenger di- In 1994, NASA agreed with Russians extensively on computer control of many saster, NASA decided to deemphasize to use the Shuttle to deliver a Russian ‘must-work-functions’. For example, the the commercial use of the Shuttle Pro- docking module to the Space Station flight control system had four redundant gram and leave commercial customers Mir. So the Russian docking module be- computers plus one back-up to be fail- to fly on expendable rockets. came a Shuttle payload and had to com- operational/fail-safe). ply with the relevant safety requirements. Commercial customers had been a What NASA learned by reviewing the The ‘margin of comfort’ approach central consideration when establish- Russian design was that the Russians for payloads safety consisted essential- ing the Shuttle payloads safety require- had a robust and safety-minded design, ly in requiring up to two-fault-tolerance ments. Now the Shuttle was expected which had been thoroughly tested. It was and larger safety factors for hazard con- just to serve other NASA programs. Pay- not difficult to show that it met Shuttle trols, and applying some conservativ- load safety requirements may have been payloads safety requirements because ism when classifying the severity of a different if this had been known from the they were not prescriptive. But there was hazard. For example, structural failures very beginning. However, the wisdom more come! and pressurized systems failures where of using generic goal-oriented safety always classified as ‘catastrophic’. requirements was confirmed when an In 1984 the U.S. began developing Some conservativism was applied when unexpected Shuttle customer appeared, Freedom, a permanent manned space classifying the toxicity of chemical the Russians, and later when develop- station, and called upon the G7 Group compounds too. ment of the space station started. of countries to join in the program.

Safety Approaches/Goals Mission Description Main Human Rating Techniques Mission Duration

No Single Failure results in Loss of Mission. Launch escape system. Single electronics unit with crew based Suborbital proof of concept No Single Failure during an abort results in Loss diverse manual backup systems. and single crewperson of Crew. Mercury Ground support from centralized control center to guide orbital operations operations and support anomaly resolution. Short duration mission: hours to days

Launch escape via ejection seats. Single electronics unit with LEO, proof of concept Probability of Mission Success: 0.95 crew based diverse manual backup systems. Redundancy (incl. change of orbit/rendezvous Probability of Safe Crew Return: 0.995 functional) for all systems effecting crew safety. Gemini and docking in preparation Ground support from centralized control center to guide for lunar landing missions Medium duration missions: days to 2 weeks operations and support anomaly resolution.

Launch escape system. Single electronics unit with crew based Probability of Mission Success: 0.95 diverse manual backup systems. Moon rendezvous, landing Probability of Safe Crew Return: 0.999 Three fuel cells and power buses Apollo and return Ground support from centralized control center to guide Medium duration missions: 1-2 weeks operations and support anomaly resolution.

Dual redundant computers. On-rbit maintenance. EVA. Skylab LEO Station Long mission duration: years Ground support from centralized control center to guide operations and support anomaly resolution.

1st stage launch escape not possible, only first flights provided Space access, launch and System: Fail-Safe including Aborts. ejection seats. Capability to return to launch site and to land at return (sat. deployment/ Avionics: Fail-Operational, Fail-Safe, two Fault- trans-Atlantic abort landing sites. Triple and quad redundancy. LEO experiments platform), Tolerant. Shuttle On-orbit maintenance. EVA. aircraft-type return and Ground support from centralized control center to guide landing. Reusable vehicle Medium duration missions: 1-2 weeks operations and support anomaly resolution.

Two Fault-Tolerant, Fail-Operational, Fail-Safe. Safe-haven, crew escape vehicles. Redundancies. LEO Station (experiments Designs for Minimum Risk (where Fault-Tolerance On-orbit maintenance. EVA. platform). On-orbit not possible). ISS Ground support from centralized control center to guide assembly proof of concept operations and support anomaly resolution. Long duration missions: decades

Comparison of historical safety approaches, goals and techniques (adapted from Miller, J., 2008).

24 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

In 1993, the Clinton Administration decid- ed to broach the subject of cooperation to The NPR 8705.2C directive is the synthesis construct the International Space Station (ISS) between US and Russia, together of lessons learned over more than 50 years with the international partners of the pre- vious Freedom station program, Japan, of human spaceflight Europe, Canada, and Italy. In 1998, the on-orbit construction of ISS began. human-rated space systems such as The NASA human rating directive is When NASA started discussing with vehicles, space suits, planetary bases, structured in three parts: partners the safety requirements for the planetary rovers, and surface vehicles future ISS systems, certain similarities (NASA NPR 8705.2C). 1) certification process with the early considerations about Shut- tle payloads emerged. A large number of The NPR 8705.2C directive is the 2) certification requirements ISS elements would be developed at re- synthesis of lessons learned over de- mote locations, not under direct control of cades of human spaceflight. The key te- 3) technical requirements. NASA, and by following to a large extent nets are: local technical standards. In addition, all The human rating certification pro- modules and payloads except those from a) protect human life; cess starts with the approval of pro- Russia would be transported to the Inter- gram maximum acceptable level of risk national Space Station by Shuttle and b) integrate human as “master” for crew, and long-term safety goals by had therefore to comply with Shuttle pay- system, taking into account NASA’s Administrator. Continues with load safety requirements. It was the best limitations, capabilities, verification at program major develop- interest of everybody that safety require- performance vulnerability, and ment and operational milestones of prog- ments of ISS would not conflict but com- needs; and ress in implementing the human rating re- plement those of Shuttle payloads. The quirements, and concludes with approval solution was to adopt Shuttle payloads c) perform human-rating process by the Administrator of the human rating safety requirements for ISS systems and throughout system lifetime, under certificate for the mission. payloads with some tailoring. authority, direction, and control of Agency’s Administrator. The appropriate implementation of For all previous U.S. space pro- risk reduction measures such as failure grams, including Shuttle, safety require- The human-rating directive makes ap- tolerance is responsibility of the program ments were embedded in systems spec- plicable NASA’s human system standards manager but during design he must fol- ifications. For the International Space for crew health and human factors, which low a number of mandated human-rating Station, for the first time, safety require- are directed at minimizing health and per- processes and activities, such as: ments were established as a separate, formance risks for flight crews. The stan- dedicated standard. dards set requirements for fitness for duty, 1) allocation of safety goals and human physical and cognitive capabilities thresholds to mission phases and and limitations, space flight permissible elements exposure limits, medical care, as well as human factors, and habitability. The stan- 2) definition of redundancy/back-up 2.1.4 dards consider human physiologic pa- strategies, and level of failure rameters as a system and therefore treats tolerance Current NASA them as an integral part of the overall ve- hicle design process. The standard sets 3) identification of crew survival Human-rating requirements for human-system integra- strategies, and effective utilization tion where the context is about how the of crew during emergencies program crew interacts with other systems, includ- ing the habitat and the environment. 4) integration of safety analyses and system design n 2005, NASA issued the policy direc- Other standards that support and Itive NPR 8705.2C on “Human-Rating complement the technical human-rating 5) human-system integration, Requirements for Space Systems”, requirements in the directive are not iden- including evaluation of system which establishes technical and certifi- tified beforehand but left to the so-called design impact on crew workload, cation requirements for any space sys- Technical Authorities for safety, engineer- and human-in-the loop usability tem developed and/or operated by or ing and medical respectively to identify as evaluation for NASA, that support human activity program applicable baseline of safety, en- in space and that interacts with crewed gineering, and medical standards.

25 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

6) design to prevent and mitigate hu- project review meetings with engineering sponsibility" (National Academy of Sci- man errors, and human error analy- and operations representatives to have ences, 1988).They recommended that sis of nominal and emergency op- its own concerns addressed. “NASA should periodically remind all erational procedures NASA personnel that boards and panels In January 1981, few months before are advisory in nature. He should specify Human-rating directive (top-level) the first Shuttle launch, NASA estab- the individuals in NASA, by name and technical requirements include tradi- lished the Senior Safety Board “…as a position, who are responsible for mak- tional and new requirements. Tradi- mechanism to periodic review of system ing final decisions while considering the tional requirements such as automatic/ and element level hazard resolution ac- advice of each panel and board. NASA manual launch escape system, failure/ tivities and for providing management management should also see to it that fault/human error tolerance or design for visibility of open and accepted risk haz- each individual involved in the NSTS minimum risk, and provision for safe and ards”. The board concentrated its efforts Program is completely aware of his/her habitable environment (protection from on reviewing Space Shuttle integration, responsibilities”. radiation, space debris, hot surfaces, cargo integration, and element-level high voltages, etc.) New requirements open hazards, and review and approve The Shuttle Challenger disaster in- are mainly aimed at allowing human con- of hazards closure rationale (Duarte, vestigation report branded the safety trol of automatic systems. The human 2007). The board reported to the John- program as the ‘silent program’ to un- must have means to override system son Space Center (JSC) Director of Safe- derline how little influence the safety or- software, or to take manual control of ty, Reliability and Quality Assurance, and ganization had on the program. space vehicle flight path and attitude un- membership and chair were all from the less not feasible (e.g. during atmospheric safety organizations. In December 1988, NASA replaced ascent phase). the Senior Safety Board with the NSTS In 1986, after the Challenger disas- System Safety Review Panel (SSRP) ter, the Aeronautics and Space Engineer- “…as a mechanism of enhancing the ing Board that evaluated the Shuttle risk Space Transportation System Safety assessment and management process- Management and Engineering through 2.2 es stated in their report that: “The multi- informational interchanges, develop- layered system of boards and panels in ment of concepts to improve the STS SAFETY PANELS & every aspect of the NSTS may lead indi- Safety Program review of safety docu- viduals to defer to the anonymity of the mentation, review of STS integration SAFETY AUTHORITY process and not focus closely enough and cargo integration, review of STS ele- on their individual responsibilities in the ment-level hazard identification and reso- decision chain. The sheer number of lution activities, and recommendations to NSTS related boards and panels seems level II management for Hazards reports 2.2.1 to produce a mindset of "collective re- disposition”. Safety Review Panel origin and evolution The Silent Safety Program

ntil Apollo 1 fire accident in 1967, The Commission was surprised to realize after many hours of testimony that there was no safety program at NASA U NASA’s safety staff was never mentioned... and no safety organization. After the accident, hazards analyses were sys- No one thought to invite a safety representative to the January 27, 1986, tematically performed, and safety divi- teleconference between Marshall and Thiokol. sions established starting with the one at Similarly, there was no representative of safety on the Mission Management Johnson Space Center. Team that made key decisions during the countdown on January 28, 1986... An extensive and redundant safety program existed during and after the lunar Safety divisions fulfilled their func- tion during system development through program to discover any potential safety problems. so-called ‘concurrent engineering’, con- Between that period and 1986, however, the program became ineffective. sisting in the participation of representa- This loss of effectiveness seriously degraded the checks and balances essential tives to various project reviews, but with- for maintaining flight safety. out safety playing an independent role in the decisional process. In other words, Report of the Presidential Commission investigating the Space Shuttle Challenger the safety organization had no indepen- disaster (Rogers Commission). dent voice and had to compete during

26 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

In February 2000, the scope of The panels members are indepen- The safety review panel would be SSRP was extended to include CIL dent from the program and represent chaired by a safety staff and composed (Critical Items List) dispositions, and various branches of NASA engineering by representatives of different technical identification and implementation of and functional organizations. They in- groups and organizations (engineering, innovative risk management methods, clude also independent representative of operations, astronaut office, etc.). The but in the meantime, the panel reporting prime contractor safety and engineering chair had sole authority for signature of line had changed from independent to organizations but with some limitations hazard reports, and had direct access to program. on voting rights. SERP co-chairs are Shuttle Program Manager. A pillar of the the safety and engineering technical au- overall approach was that the payload According to Nancy Leveson, “In thorities. The co-chairs have delegated organization (i.e. the customer) bore re- time, the Space Shuttle Program asked responsibility for review and interim ap- sponsibility for the design and verifica- to have some people support this ef- proval of safety analyses while final ap- tion of the payload they provided. The fort [SSRP] on an advisory basis. This proval remains with the relevant program safety review panel had instead the re- evolved to having program people serve manager. Changes to the design which sponsibility to ascertain that customers on the function. Eventually, program impact cost and schedule constraints understood the safety requirements and people began to take leadership roles. are elevated to the program manager for carried out correctly the hazard analysis By 2000, the office of responsibility had final decision. by identifying hazards, hazard causes, completely shifted from SR&QA to the and relevant controls and verifications. Space Shuttle Program.” In 1977, in the early stages of the Shuttle program as work on payload The customer had also to prove to After the Shuttle Columbia accident safety and technical requirements pro- the panel that agreed hazard controls of 2003, the SSRP operation was found gressed, consideration was given to the had been incorporated first in the design deficient and needing change. In par- payload safety organization. This was and then in the builds. In the process, the ticular: to be a novel kind of organization. The payload organization had to obtain con- Shuttle Program decided to establish the currence from NASA specialist groups a) Safety panel to become more PSRP (Payload Safety Review Panel). The on specific items such as construction proactive and focused, but without approach was completely different from materials usage, as meeting require- losing independence Shuttle systems project reviews, and ments for flammability, off-gassing and gave to the safety organization a leading stress corrosion, toxicological assess- b) Program manager to get insight and authoritative role, clear lines of re- ment of hazardous chemicals, etc. into risks (i.e. involvement in risk sponsibility, and ample technical support. acceptance) At the end of the safety review pro- cess, the chair would issue a letter cer- c) Active involvement of engineering tifying that safety reviews had been suc- in the safety review process The safety review cessfully completed for that payload to fly on a specific Shuttle mission. In April 2005, the SSRP was re- panel would be placed by the Safety Engineering Re- In case of re-flight on a subse- view Panel (SERP), constituted by a chaired by a safety quent mission, any change had to be panel at each NASA center involved in discussed with the panel. Any anomaly the Shuttle Program (JSC, MSFC, KSC), staff and composed encountered in the previous mission had plus an integration SERP for the review also to be discussed with the panel for of integrated hazard reports, all report- by representatives safety relevance, and implemented cor- ing to the Shuttle program manager via rective actions concurred. a panel manager from the safety organi- of different zation, The SERPs had review and ap- The ‘natural’ separation between proval authority for hazard reports and technical groups Shuttle program and payloads projects critical item lists. In addition, they were gave as rare benefit the development of involved in the assessment of all project and organizations the first goal/performance oriented safety changes and anomalies with possible standard, NSTS 1700.7b (NASA, 1989), impact on safety. (engineering, and organizational independence, strong management support, and multi-disci- The safety review panels of current operations, astronaut plinary support to the safety review panel. NASA Space Launch System (SLS) pro- gram and Orion Multi-Purpose Crew Ve- office, etc.) The PSRP operated flawlessly from hicle (MPCV) program, are a further evo- the beginning of Shuttle operations, and lution of Shuttle SERP. was reconfirmed after Challenger and Columbia accidents.

27 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Some years later with the start of the International Space Station program, the safety review process and panel organi- zation was modelled for the system and Normalization of Deviance for payloads after the Shuttle payloads PSRP. The ISS payload safety reviews became a responsibility of the Shuttle payloads PSRP that was renamed ac- cordingly as NSTS/ISS PSRP. A sepa- rate ISS SRP (Safety Review Panel) was created for ISS systems safety review. After Shuttle retirement and ISS assem- bly completion, the two panels were merged in a single one covering modi- fication of ISS, operations, new cargo and crew transport commercial vehi- cles, and payloads.

In the words of Bob Wren, engi- "Repeated success in accepting deviance from established standards implies future neering representative in NSTS/ISS and success. Over time the team fails to see their actions as deviant. Normalization of ISS SRP: deviance leads to "predictable surprises" that are invariably disastrous to the team “We set it up, copied the exact same Mike Mullane, Nasa astronaut " approach that we did for the PSRP, for the Shuttle payloads. It turned out that that was a good move. That was a smart move. I guess, and it worked An ‘anomaly’ is a possible noncon- fine. So that way we could come in 2.2.2 formance waiting confirmation. An en- and have reviews, phase reviews, gineer, a technician, a flight controller and I guess I didn’t talk about that, Safety governance sees something that in his view is unex- but we’d have a series in both pay- pected and reports an anomaly. Experts load process and in this SRP pro- examine it and decide if it is truly some- cess where we keyed the reviews The issue of “normalization of thing abnormal or the report initiator has to where the customer was in their deviance” mistakenly interpreted as anomalous development cycle… So we set up something that is normal behavior of the that same approach for the Station n anomaly is “an unexpected event, system. Upon anomaly confirmation, a modules and it worked great”. Ahardware or software damage, a de- nonconformance resolution process is parture from established procedures or initiated, which will either determine how In 2002, a new chapter was inaugu- performance, or a deviation of system, to fix the problem, or accept the violation rated with the decentralization of safety subsystem, or hardware or software per- as-is. Sometimes, the original require- review panels. A “franchised” NSTS/ISS formance outside certified or approved ment is found to be wrong and another Payload Safety Review Panel was estab- design and performance specification process called ‘engineering change re- lished at the European Space Agency in limits”. quest’ is engaged to change it. The Netherlands, to operate with same rules and practices, and under oversight A nonconformance is “a condition of During operations, before engaging of NASA. A similar agreement was soon any article, material, process, or service the offline nonconformance resolution made with the Japanese Space Agency in which one or more characteristics do process, other steps may be necessary. JAXA, while equivalent arrangements not conform to requirements specified There are three different environments were putted in place with Russians. in the contract, drawings, specifica- through which the anomaly resolution tions, or other approved documents. process may, in principle, progress: After the Columbia accident, there Includes failures, defects, anomalies, 1) real-time; 2) near real-time; and 3) of- were uncertainties at NASA about the and malfunctions”. A nonconformance fline environment. Usually, these three organizational placement of the safety at the level of detailed design which can environments are not mutually exclu- review panels, but eventually it was de- be solved without impact on system sive, nor are truly progressive. When an cided to maintain the chair reporting line level requirements is a ‘quality noncon- anomaly is observed, immediate and/ to program managers (ISS and Shuttle). formance’. If a safety relevant require- or urgent actions may be required to ment is affected it is a ‘safety noncon- ensure the safety of the crew, and then formance’. the anomaly can be further investigated

28 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

offline. Other cases may not require real- time troubleshooting or safety actions at Columbia Accident Investigation Board (CAIB) Report all and can be immediately addressed offline. The environment in which the anomaly is being handled determines The Board concludes that who is responsible for its investigation NASA’s current organization and resolution. does not provide effective The term ‘normal anomaly’, or ‘nor- checks and balances, mal deviance’, was coined after the does not have an indipendent Challenger disaster to denounce a fail- safety program and has not ure of the organization that tended to demonstrated the characteristics consider some recurrent anomalies as ‘normal’ although they were affect- of a learning organization ing high level safety requirements (Hall, 2003). This was the case of hot gases erosion of both redundant O-rings of the solid rocket motor field joints that fore the accident things were not at all ƒƒ Why did NASA continue flying the caused the Challenger disaster. Leak- so clear, and judgement open to bi- Shuttle with a known problem that age and multiple damages that in theory ases. There was a requirement in the violated design requirements? had a remote probability to take place Shuttle specification stating that no were judged innocuous and accepted material or parts had to be released ƒƒ The longer the Shuttle Program al- ‘as-is’ just because they were reoccur- during flight, the concern being dam- lowed debris to continue striking the ring without consequences. Usually, it age due to collision. Starting from the Orbiters, the more opportunity existed is very expensive and time-consuming first Shuttle flight there were chunks of to detect the serious threat it posed. to root out the cause of a problem, and insulating foam released from the main But this is not what happened. the motivation will surely lack if the prob- tank, but nothing serious happened. lem is not deemed to represent an actual The conclusion was that such light- ƒƒ Why were Debris Assessment Team “flight safety” risks. There is also a cul- weight foam could not be a problem. engineers so unsuccessful at commu- tural divide to take into account between Should we modify the requirement? nicating their concerns up the NASA operations team and safety teams, be- No, too much paperwork. It is formally shuttle hierarchy? cause the former looks to anomalies in an anomaly but has no consequence, the nominal context in which they gen- somehow the requirement is too strict. ƒƒ Why did NASA managers who es- erally happen, while the latter is trained It is a ‘normal anomaly’. poused safety principles and risk to project their occurrence under worst aversion so quickly dismiss signs of case conditions. The Columbia Accident Investigation risk and so readily accept facile ar- Board raised the following key questions: guments that the shuttle was safe to A ‘normal anomaly’ is something continue flying? perceived as between a non-confirmed anomaly and a confirmed one. It should not be there but can be seen as no prob- lem because previously there was no Example of cognitive biases consequence. Somehow the ‘granular- Tendency for people to evaluate ambiguous information in a way ity’ of the requirement is considered too Self-serving bias be coarse. The fact that the anomaly beneficial to their interests keeps reoccurring without consequenc- Putting a tremendous amount of weight on previous events, Gamble’s fallacy es is used as prove of its ‘normality’. believing that they'll somehow influence future outcomes

Also, the cause of the Columbia ac- Unwarranted assumption that a change will be inferior or Status quo bias cident, a loose piece of insulation foam make things worse from the main tank, was eventually traced back to the failure of the organi- Confirmation bias Tending to agree with people who agree with us zation to recognize the seriousness of a recurrent anomaly that was considered Bandwagon effect Going with the flow of the crowd ‘normal’. Overestimating the abilities and value of our immediate group In-group bias (program team) at the expense of people {independent experts) we With the advantage of hindsight, don’t really know. we can clearly see the mistake but be-

29 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

“Organizations that successfully nancial separation of the programmatic The technical authority operate high-risk technologies have and institutional authorities. a major characteristic in common: process is built on they place a premium on safety and The technical authority originates reliability by structuring their pro- with the NASA Administrator and is the organizational grams so that technical and safety then delegated to the Chief Engineer for engineering organizations own the technical standards, to Chief Safety and and financial process of determining, maintain- Mission Assurance (S&MA) for safety ing, and waiving technical require- standards, and then to center directors separation of the ments with a voice that is equal to (NASA, 2016). There is also a medical yet independent of Program Man- technical authority. Subsequent delega- programmatic and agers, who are governed by cost, tions down from the center director are schedule and mission-accomplish- formally made to selected individuals at institutional ment goals.” specific organizational levels. The activity of individuals holding technical authority authorities are funded independent of a program or Technical Authority project (NASA, 2014).

ƒƒ How did unquestioned and unex- Government space agencies in US Technical authority individuals are in- amined aspects of the NASA culture and Europe, have always struggled with volved in day-to-day program/project ac- contribute to the loss of the Columbia, the necessity of establishing a system tivities, including serving as members of are other organizations managing high of checks and balances to limit the au- control boards, change boards, and inter- risk technologies with checks/balanc- thority of program managers in taking nal review boards. According to the techni- es/safety reviews similar to NASA’s final decisions on safety matters. Safety cal authority process, decisions related to susceptible to the same blind spots review panels have enjoyed sometimes technical and operational matters involving and influences, and what can be done effective independence as long as the safety residual risk require formal concur- about it? program manager had no programmatic rence by the relevant technical authority interest about the impact of their deci- (engineering, safety and medical) based on ƒƒ With the striking similarity to the er- sions, otherwise panels gradually lost the technical merits of the case. Residual rors and systemic problems that con- their independence. safety risks require first acceptance by the tributed to the loss of the Challenger responsible program manager, then the in 1986, how could the lessons of Following accidents, the position consent of the technical authority, and final- Challenger have been forgotten so of head of safety has been periodically ly the acceptance of the responsible safety quickly? moved up in the hierarchy and given di- organization. Should a technical authority rect access to the head of agency, but disagree with a program action he/she can The answer is that as long as devia- the power of the program manager as submit the matter to the next higher level tions, having potential serious impacts on final decision maker remained basically of management. However, the program cost and schedule if not approved, are unaltered until the Columbia accident. manager has the freedom, if in the interest evaluated and decided upon by experts of the project, to proceed at risk in parallel and managers belonging to the same After the publication of the Columbia with the pursuit of a resolution through the program without the authoritative concur- accident report, NASA established an in- technical authority hierarchy. Resolution rence of an independent team, a certain dependent technical engineering author- is jointly attempted at successively higher amount of ‘cognitive bias’ should be ex- ity responsible for technical requirements levels of program and technical author- pected to influence the decision-making and all waivers to them and for indepen- ity until the dissent is resolved, with pos- process. In other words, people tend to dent oversight of programs and proj- sibility to raise the issue up to the NASA believe what they have interest to believe! ects. “Key principles in this framework administrator. include having clearly Engineers and managers at NASA defined roles and re- track thousands of program anoma- sponsibilities and hav- lies, and it is understandable that some ing an effective system anomalies may be perceived as normal, of checks and balances as acceptable low risk. What is not ac- to provide a firm foun- ceptable is that risk acceptance is done dation for the balance by the program without the concurrence of power between or- of an independent technical authority. ganizational elements”. The technical authority In the words of the Columbia Acci- process is built on the dent Investigation Board: organizational and fi-

30 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Chapter 3 COMMERCIAL PRODUCTS STANDARDS DEVELOPMENT AND CONFORMITY ASSESSMENT – AN OVERVIEW

3.1 ORIGIN OF STANDARDS

ne of the early examples of stan- Odardization was making rifle parts interchangeable between guns. This was a revolutionary idea from Thomas Jefferson and Eli Whitney, who was a mechanical engineer in the late 18th century. Whitney is sometimes called “The Father of Standardization,” since he was the first to manufacture prod- ucts on a large scale with the idea of complete interchangeability of parts. Years later, during the Civil War, the U.S. government recognized the military and economic advantages to having a stan- dardized track gauge. The government worked with the railroads to promote use of the most common railroad gauge Great Baltimore Fire 1904. in the U.S. at the time which measured 4 feet, 8 ½ inches, a track size that origi- nated in England. This gauge was man- It was evident that a new national stan- safety equipment. Soon afterwards, two dated for use in the Transcontinental dard had to be developed to prevent a boiler explosions in Massachusetts shoe Railroad in 1864 and by 1886 had be- similar occurrence in the future. factories, (Brockton, 1905 and Lynn, come the U.S. standard. 1906) motivated the Governor to include Up until that time, each municipal- in his inaugural address a demand for In 1904, a fire broke out in the base- ity had its own unique set of standards prompt action for improved public safe- ment of the John E. Hurst & Company for fire-fighting equipment. As a result, ty. One outcome of this mandate was Building in Baltimore. After taking hold research was conducted of over 600 fire the creation of a new Massachusetts of the entire structure, it leaped from hose couplings from around the coun- law, “An Act Relating to the Operation building to building until it engulfed an try and one year later a national stan- and Inspection of Steam Boilers” (1909). 80-block area of the city. To help com- dard was created to ensure uniform fire This motivated another state, Ohio, bat the flames, reinforcements from New York, Philadelphia and Washing- ton, DC immediately responded—but to To help combat the flames, reinforcements from no avail. Their fire hoses could not con- nect to the fire hydrants in Baltimore be- New York, Philadelphia and Washington, DC cause they did not fit. Forced to watch helplessly as the flames spread, the fire immediately responded—but to no avail. Their fire destroyed approximately 2,500 build- ings and burned for more than 30 hours. hoses could not connect to the fire hydrants

31 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

to draft their own laws in 1911. At the same time, as both states were develop- ing laws, ASME was looking to the future in a way that would change the boiler in- A standard consists of a set of characteristics dustry and its future evolution, industry- wide standardization. From ASME’s ac- that describes the features of a product, tions, the first edition of the Boiler and Pressure Vessel Code (BPVC) was is- process, or service, and against which sued in 1914 and published in 1915. it can be measured or assessed In the course of the 20th century stan- dardization practices spread throughout industry worldwide from machine tools and sewing machines to bicycles, auto- mobiles and eventually aviation. There measures taken by manufacturers, their were several incentives for standardiza- 3.2 customers, regulatory authorities, and tion across the industry: It enabled parts independent third parties to assess con- suppliers to produce large quantities for DEFINITIONS formity to standards. multiple customers, such that suppliers could gain economies of scale and lower In the past, it was considered that their costs. Suppliers passed these sav- here is no single, simple definition wide agreement on a standard could be ings on as lower prices to automobile Tof standard that captures the broad reached only as a result of long and suc- manufacturers. In addition, standardiza- range of meanings and uses of the term. cessful application of a technical prac- tion meant that if one supplier went out There are, however, general characteris- tice, which was then promoted to the of business, shortfalls of parts could be tics of many or most standards that will level of standard. Nowadays, standards made up by other suppliers without a serve as a working definition within this are often needed to be established up- delay for reconfiguring their machinery report. A standard consists of a set of front in many new technological fields to to new specifications. Standards also characteristics that describes the fea- support their integration and diffusion. allowed manufacturers to impose mini- tures of a product, process, or service, This is for example the case of the up- mum quality criteria on their suppliers. In and against which it can be measured coming transition from analogue ground- general, standardization benefited both or assessed. The description can take based technologies (radar, radio) for air suppliers and manufacturers throughout the form of detailed design/construction traffic management to digital space- the industry. rules or performance criteria. based data communication.

Mass production of cars by many A standard must be well designed, Standardization helps to build focus, companies was a formidable early driv- based in sound technology, appropriate cohesion and critical mass in the emerg- er for the establishment of consensus to the task at hand, and accepted as valid ing stages of technologies, and to codify standards. Coordinating standards de- and useful by the population of users. A and diffuse the state of the art. Consen- velopment among different automotive standard that meets these criteria, how- sus standardization processes driven by firms became the responsibility of the ever, still fails to have the effect its de- industry stakeholders enable competi- Society of Automotive Engineers (SAE). velopers intended if products, processes tion between and within technologies SAE was a professional society whose or services designed to conform to it do and contribute therefore to innovation membership spanned the industry, in- not, in practice, conform. Conformity as- and growth (Blind, 2013). cluding both manufacturers and suppli- sessment is the comprehensive term for ers; was independent of any one firm or set of interests; and had the technical competence for the required work. Its success in reducing the variety of parts Conformity assessment is the comprehensive and in promoting interchangeability and quality was such that the National Au- term for measures taken by manufacturers, tomobile Chamber of Commerce, an industry trade association, estimated in their customers, regulatory authorities, 1916 that SAE standards yielded cost reductions of 30 percent in ball bearings and independent third parties to assess and electrical equipment and 20 percent in steel. conformity to standards

32 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

standards like ISO 9001 or with the more 3.3 3.3.1 stringent aerospace quality assurance standard AS9100 developed by IAQG, a FUNCTIONS OF Process Management consortium of major aerospace compa- nies, and published by SAE. Accredited STANDARDS independent auditors perform confor- anufacturers not only design prod- mity assessment against such voluntary Mucts to conform to standards, standards. ased on the purpose of a standard we sometimes they also organize the manu- Bcan identify seven categories: foster- facturing process itself in accordance ing commercial communication; diffusing with standards. For example, the U.S. technology; raising productive efficiency; Occupational Safety and Health Admin- enhancing market competition; ensuring istration (OSHA) regulates many manu- 3.3.2 physical and functional compatibility; facturing processes to protect worker improving process management; and safety. Independent inspection and audit Public Welfare enhancing public welfare. of production play a key part in the en- forcement of process standards such as Because of the purpose of this report those set by OSHA. Company may also tandards are an important means we will focus on two categories: process apply process management to quality Sof promoting societal goals, such management and public welfare assurance, in accordance with voluntary as protection of health, safety, and the

Category of standards For example… 1. COMMERCIAL COMMUNICATION (a) construction materials — standard dimensions, strengths, and durabilities make it easier Standards convey information about for the builder to select materials for specific purposes a product to the buyer in a consistent, (b) film speed — standard ratings (ISO 100, 200, 400, etc.) simplify matching film to understandable manner. photographic needs

2. TECHNOLOGY DIFFUSION (a) personal computer architecture — use of PCs expanded rapidly once IBM-compatibility A technological advance incorporated into standard came into being a standard is more readily adapted and (b) advanced materials (e.g., composites, ceramics) — standards that describe processing used by others. and test methods allow duplication and improvement upon state of the art

3. PRODUCTION EFFICIENCY (a) automobile assembly line — efficient mass production pioneered with the Ford Model T Standardization of parts, processes and (b) fast food chains (e.g., McDonald’s) — food, restaurant style, equipment, and procedures products enables economies of scale in standardized for efficiency production.

4. ENHANCED COMPETITION (a) direct-dial long-distance telephone service — competing carriers offer a standardized When some or all of the features of basic service; competition centers on price and extra services different manufacturers’ products conform (b) gasoline — octane ratings allow consumer to compare similar products on the basis of to one standard, comparison is easier and price competition sharper.

5. COMPATIBILITY (a) Internet — standard format for sending and receiving data enables communication among Standards defining interfaces enable computers worldwide products to work or communicate with (b) stereo system components — various types of components can be connected with each other. standard cables and jacks

6. PROCESS MANAGEMENT (a) numerically controlled machine tools — standard computer languages allow rapid Manufacturers not only design products to reconfiguration of production line conform to standards, they also organize (b) quality assurance — ISO 9000 series of standards guides firms in setting up and the manufacturing process itself in maintaining a quality assurance management system accordance with standards.

7. PUBLIC WELFARE (a) health codes — restaurants conform to sanitary standards that are backed up by Standards are an important mechanism for inspections promoting societal goals, such as protection (b) automobile air bags, seat restraints, and bumpers — governmentmandated crash of health, safety, and the environment. protection

33 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

environment. Government agencies at the national, regional, state, and local A standard arising from uncoordinated processes in the competitive levels administer thousands of regula- marketplace. When a particular set of product or process specifications tory standards or technical regulations. De facto gains market share such that it acquires authority or influence, the set These govern the characteristics of the Standard of specifications is then considered a de facto standard. products and services that manufactur- ers produce and the materials and pro- Example: IBM-compatible personal computer architecture. cesses that they use in producing them. Some regulatory standards are devel- A standard arising from a formal, coordinated process in which key oped by government agencies, but many participants in a market seek consensus. Use of the resulting standard are developed within the private sector Voluntary isvoluntary. Key participants may include not only designers and and adopted by government. Govern- Consensus producers, but also consumers, corporate and government purchasing ment is both a major producer and a ma- officials, and regulatory authorities. jor user of standards. This report takes Standard as given the fact that public needs may Example: photographic film speed — ISO 100, 200, 400, etc., set by sometimes outweigh other concerns. International Organization for Standardization (ISO). There are, for example, health and safety concerns that justify imposition of regu- A standard set ny government. A procurement standard specifies latory standards despite the costs they requirements that must be met by suppliers to government. A regulatory impose on manufacturers and consum- standard may set safety, health, environmental, or related criteria. Voluntary standards developed for private use often become mandatory ers. Government is also a major pur- Mandatory when referenced within government regulation or procurement. chaser of goods and services, frequently Standard by means of procurement standards and Example: automobile crash protection — air bag and/or passive specifications. As a result, government seat restraint mandated by National Highway and Traffic Safety agencies have a public interest in obtain- Administration. ing the best value for money through ap- propriate standards and efficient confor- mity assessment procedures. controls the U.S. standards development drafted by federal agencies. The bound- system. The efforts of many U.S. volun- ary between voluntary and mandatory tary consensus standards organizations, standards is not always distinct. Govern- however, are coordinated by the private, ment standards writers frequently refer 3.4 nonprofit American National Standards to privately developed, voluntary stan- Institute (ANSI). This organization sets dards within the text of regulations and TYPE OF guidelines for groups to follow in manag- procurement specifications. Mandatory ing the consensus-seeking process in a standards may cite voluntary standards STANDARDS BY fair and open manner. ANSI reviews and in whole or in part, with or without ad- accredits many U.S. standards-setting ditional criteria beyond those set in the DEVELOPMENT organizations for compliance with these referenced standard. guidelines. It also approves many of the standards these organizations produce, rincipal types of standard by develop- designating them as American National Pment process are: de facto standard, Standards. voluntary consensus standard, and man- 3.4.1 datory standard. Mandatory standards are stan- dards set by government with which Development of De facto standards may arise with- compliance is required, either by regula- out formal sponsorship, simply through tion or in order to sell products or ser- Consensus Standards widespread, common usage. vices to government agencies. Even in the case of standards written by govern- When groups write standards through ment, the process of development is not Consensus standards developing a formal process of discussion, drafting, without private input or participation. For organizations and review. to meet customer, industry, example, laws governing administrative and public needs, and the resulting stan- processes, such as the Administrative tandards developing organizations dards are published for voluntary use Procedures Act, require public review S(SDOs) belong to one of three main cat- throughout industry, such standards are and comment on proposed regulations. egories: professional societies, industry termed voluntary consensus standards. The Federal Register regularly publishes associations, and standards-developing No single organization, public or private, requests for comments on standards membership organizations. In addition,

34 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

consortia are playing an increasingly Voluntary Consensus Standard American Society for Testing and Materi- important standards development role, Process als (ASTM), and the Institute of Electrical particularly in industries characterized and Electronics Engineers (IEEE). Unless by rapid advance of technology. In US, The typical method for develop- the standard is subsequently mandated SDO’s are private organizations. Outside ing voluntary consensus standards is as part of a government regulation or US many countries have a central, prima- to coordinate participation of volunteer procurement specification, its accep- ry national standards-developing body. technical experts in standards-writing tance by potential users is voluntary. This is usually a government-chartered committees. Committee membership is Standards adopted as mandatory by private organization or a quasi-public generally selected to represent a diversity government, moreover, are usually more agency, rather than a direct agency of of interests and viewpoints. draft techni- effective if they reflect consensus among the government. Examples include Ger- cal standards are proposed, discussed, affected parties. A consensus among many’s Deutches Institute fur Normung revised, and voted on. Consensus is the interested parties during the design of (DIN), the British Standards Institute (BSI), key goal. Although negative votes do not a standard clearly increases its pros- and France’s Association Francaise de prevent a standard’s adoption, they must pects for broad acceptability. The sec- Normalisation (AFNOR). To promote trade generally be considered and responded ond feature of the voluntary consensus inside the European Union (EU), the EU to in writing. After review, comment, and standard process is the administrative endorses the work of the three Euro- approval by the SDOs oversight board due process. These groups have formal pean standards (harmonization) bodies: and membership at large, the organiza- policies governing such facets of stan- The Comité Européen de Normalisation tion publishes the standard. Firms also dards development as technical com- (CEN, founded in 1961), the Comité Euro- pay salary and travel expenses for em- mittee membership; setting the scope of péen de Normalisation Électrotechnique ployees who serve as individuals in the proposed standards; drafting and revis- (CENELEC, founded in 1973), and the Eu- work of professional societies and stan- ing standards; voting within committees; ropean Telecommunications Standards dards-developing membership organi- review of draft standards by higher au- Institute (ETSI, founded in 1988). zations such as SAE International, the thority within the SDO; and balloting and

Consensus Standards Developing Organizations

Professional Societies Membership Organizations Professional societies are individual membership organizations Unlike industry associations and professional societies, standards- that support the practice and advancement of a particular developing membership organizations have standards development profession. Several such societies, particularly in the engineering as their central activity and mission. They do not limit their disciplines, develop technical standards. The goal of these SDOs is membership to an industry or profession, and they tend to have generally to find the best technical solution to meet an identified the most diverse membership among all SDOs. Their procedures need. Participants in standards committees serve as individual tend to have the strictest due process requirements. Publishing and professionals, not as representatives of the firm they work for. selling standards documentation accounts for the majority of their (e.g. IEEE-Institute of Electrical and Electronics Engineers, ASME- revenues. Membership fees are generally relatively low, facilitating American Society of Mechanical Engineers) participation by individuals not sponsored by an employer. (e.g. ASTM - American Society for Testing and Materials). Industry Associations Industry associations, also known as trade associations, are Consortia organizations of manufacturers, suppliers, customers, service Standards consortia are a response to the rate of technological providers, and other firms active in a given industry sector. advance outpacing consensus standards development in some Their mission is to further the interests of their industry sector, industry sectors. Participation in standards-setting is generally including the development of technical standards. Many industry limited to consortium members. Requirements for openness, associations develop standards or sponsor their development consensus, and due process are less strict than in other standards- through a subsidiary or associated SDO. Funding is primarily developing organizations, primarily to speed the development through members' dues. Members of technical committees typically process. In fact, standards produced by consortia represent a hybrid serve as representatives of their firm. Each firm carries equal weight stage between de facto industry standards and full consensus in committee voting, regardless of the number of experts it sends standards (e.g. IAQG – International Aerospace Quality Group). The to participate in the committee’s standards development work. original objective of the IAQG members (leading aircraft and engines Industry association SDOs are likely to be more openly responsive to manufacturers) was to upgrade the ISO 9001 consensus voluntary commercial market concerns in their technical decision making than standard with harmonized quality assurance requirements they other types of SDOs. used to levy on suppliers, and to establish a consortium-controlled accreditation system for third party conformity assessment.

35 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

approval by the membership at large. Familiar examples of certification, among Alexander Carlisle, one of the managing Formal procedures, such as open par- many others, are the Underwriters Labo- directors of the shipyard that built it had ticipation and review, also serve as pro- ratories for commercial product safety suggested using a new type of larger da- tection against allegations of collusive certification (the UL mark). vit, which could handle more boats thus behavior for participants from competing giving Titanic the potential for carrying firms. 48 lifeboats providing more than enough 3.6 seats for everybody on board. But in a cost cutting exercise, the customer SAFETY STANDARDS (White Star Line) decided that only 20 lifeboats would be carried aboard thus 3.5 DEVELOPMENT providing capacity for only about 50% of the passengers (on the maiden voy- CONFORMITY AND CONFORMITY age). This may seem a carefree way to treat passengers and crew on-board, ASSESSMENT CERTIFICATION but as a matter of fact the Board of Trade regulations of the time stated that all British vessels over 10,000 tons had tandards would be unable to fulfill any to carry 16 lifeboats. The regulation had Sof their functions without some de- 3.6.1 become obsolete within a short period gree of confidence that manufacturers’ of time when at the beginning of the claims for their products of conformity to Prescriptive vs. 20th century ship tonnage raised up to standards are correct and justified. Such Titanic’s 46,000 tons. Furthermore, the assurance can come from the firm’s in- performance safety RMS Titanic was believed to be unsink- ternal procedures for meeting standards; able by design, therefore why worry from review by an independent, private standards about lifeboats? source outside the firm; from a govern- ment-mandated regulatory program; or Prescriptive Standard. Prescrip- from a combination of such elements. n the early hours of 15 April 1912, the tive standard is a standard that specifies Conformity assessment is the compre- IRMS Titanic struck an iceberg on her design requirements, such as materials hensive term for procedures by which maiden voyage from Southampton, to be used, how a requirement is to be products and processes are evaluated England, to New York, and sank. A total achieved, or how an item is to be fab- and determined to conform to particular of 1,517 people died in the disaster be- ricated or constructed, such that the standards. As distinct from standards cause there were not enough lifeboats item can be considered safe. The Titanic development, conformity assessment available. During the Titanic construction accident illustrates what a prescriptive may be thought of as a central aspect of the use of standards.

Conformity assessment comprises three areas. The first area,manufac - turer’s declaration of conformity, is assessment by the manufacturer based on internal testing and quality assurance mechanisms.

Second is testing of products, parts, and materials performed by independent laboratories as a service to the manu- facturer. Independent testing may be of value to the manufacturer as an outside confirmation of in-house test results; it may be required by a customer as a con- dition of sale; or it may be mandated by a regulatory agency.

The third area is certification, formal verification by an unbiased third party (review of design, testing, etc.) that a product conforms to specific standards. A total of 1,517 people died in the RMS Titanic disaster because the number of lifeboats requirement was obsolete.

36 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

requirement is (i.e. an explicitly required change and the emergence of new haz- design solution for an implicit safety How performance ards in ways that prescriptive standards goal), and how it can sometimes dramat- cannot. Performance standards can be ically fail by obsolescence. standards are designed imprecise when the requirements are too loosely specified or can be questionable The underlying motivation for pre- and how they are when performance has to be assessed scriptive requirements is to prevent cir- by quantitative predictions. Sometimes cumvention by avoiding any subjective implemented and uncertainty is injected into a performance interpretation in the implementation as standard just because of the need to be well as in compliance verification. Viola- enforced matters generic. tion of requirements can be unequivo- cally determined by simple inspections. greatly How performance standards are de- signed and how they are implemented The vast majority of standards in and enforced matters greatly. use in aviation and other “evolution- ary” industries are the result of lessons Performance standards include re- While it is useful for conceptual learned from incidents and accidents, quirements that are qualitative and/or purposes to distinguish performance and steady technological advancement. quantitative with reference to the ulti- standards from prescriptive standards, They are detailed per type and prescrip- mate goal (e.g. level of safety). Quanti- in practice the two approaches can be tive. In contrast, there are industries in tative performance requirements can be better thought of as end points along a which building on future experience is distinguished between those for which spectrum of requirements running from simply not possible, because the system compliance can be demonstrated by what might be considered “pure” per- is completely new, highly safety-critical prediction (e.g. launch failure), and those formance standards to “pure” design and/or extremely expensive. for which compliance can be demon- standards, depending on advantages strated by measurement (e.g. air con- and limits. A good performance standard Performance Standard. A perfor- taminants in the habitable environment). may leave ample freedom to the design- mance standard specifies the outcome er by setting goals at system level, while required (e.g. safety level) but leaves the By focusing on outcomes, perfor- somehow constraining the designer’s concrete measures to achieve that out- mance standards give to developers flex- freedom for some high-risk technologies come (e.g. hazards risk mitigation and ibility, and make it possible for them to (e.g. batteries, pressure vessels, EMC) control measures) up to the discretion of find the lowest-cost means to achieve where existing prescriptive requirements the designer. compliance. Performance standards can are known to work well. However, by in- generally accommodate technological cluding a clause in the standard about

Pros and Cons of Prescriptive Requirements

Advantages of prescriptive standards, Disadvantages of prescriptive standards, also called design standards or rules-based also called design standards or rules-based standards standards

• Easier for developers and operators to implement • Mandated solutions may be effective in some cases but not in other cases • Easy to check compliance with for the safety authority • Mandated solutions may prove to be more costly than other • Schedule efficient: just read and transpose into design equally effective solutions • No need (for industry) to think “is this good enough” • By specifying how to act, prescriptive standards can inhibit innovation or become obsolete • Are reactive (reviewed and changed post mishap) • May lead to over/under-engineering • Nurture a compliance mindset rather than a safety mindset

37 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

In the context of many commercial and regulatory uses of standards, in particu- LOW lar those related to public welfare, mea- sures to evaluate and ensure conformity Nothing new or unusual. are of as much or more significance than Well understood issues. Codes & Standards the standards themselves. Extablished practice. SAFETY RULES Manufacturers of potentially dan- MEDIUM gerous products generally maintain in- ternal assurance procedures and also Uncertainty/deviation from standard practice. Engineering seek third party conformity assessment. Possible safety trade-offs. judgement Third-party assessment is the sector of Economic and lifecycle implications. the conformity assessment system that has grown most in recent years. In most commercial interactions, there is no need HIGH for the added expense and complexity of Risk-based design third-party conformity assessment. There Novel or/challenging concepts. First-principles is, however, one circumstance in which Large uncertainties. RISK ASSESSMENT relying on the manufacturer’s declaration Significant safety trade-offs. and the purchaser’s own assessment is inadequate, when the safety, health, or environmental impact of a product are Level of Innovation and Risk-Based Design (Papanikolaou et al. 2009). sometimes too important to be left to the manufacturer’s own assessment and too expensive or technically difficult for the “Equivalent Safety”, ultimate freedom for customer to perform. This is true, for ex- the designer is restored. 3.6.2 ample, of products whose failure could lead to injury, illness, property damage, The correct implementation of per- Third-party Safety or loss of life. In these cases, it is unac- formance standards requires training/fa- ceptable to discover the product’s non- miliarity of the project team such to avoid Certification conformity after a failure has occurred. misinterpretations of the requirements Much of the U.S. conformity assessment (too loose, too tight). Sometimes, guide- system exists specifically to address this lines on requirements interpretation and onformity assessments of prescrip- type of safety, health, and environmental accepted means of compliance can help Ctive standard versus performance concern. In regulated product sectors, the design team. “Safety Equivalency” standard vary greatly. While objective such as aircraft, automobiles, agricul- demonstration may require sophisticat- evidence of compliance with prescriptive tural chemicals, heavy machinery, and ed analysis like PRA (Probabilistic Risk requirements is straightforward through drugs, a regulatory authority requires Assessment). inspections and tests, assessing com- competent, prior assurance of conformi- pliance with performance requirements ty to relevant standards before a product The key concept in implementing a necessitates an independent multi-dis- can be accepted and used. Many regu- performance safety standard is that it ciplinary review team with design and lations require third-party assessment to cannot be used directly for the design but operations skills and competences equal verify product safety. Drug safety certi- it is an input to a risk-based design pro- or even better than those of the proj- fication required by the Food and Drug cess. Performance requirements are tai- ect team. Furthermore, the review team Administration is an example of a federal lored through hazard analysis and modu- chair must have the authority to mandate program of this type. lated depending on consequence severity actions, to “own” the standard’s uncer- such to aim for low probability of occur- tainties (provide interpretations), to ap- Often in the field of safety, standards rence for high-consequence events, while prove equivalencies, and to recommend development and certification of con- allowing higher probability of occurrence approval/disapproval of deviations. formity are performed by the same or- for low-consequence events. ganization as “public service” or under delegation from the Government. A well- known certification mark found on many Measures to evaluate and ensure conformity products is the “UL” label. This mark is owned and managed by Underwriters are of as much or more significance Laboratories, a nonprofit institution that develops safety standards and tests than the standards themselves and certifies many consumer and other

38 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Independent (safety design) Peer Review

According to The UK Nuclear Industry Guide To Peer Review of matter. Peer Reviewers must also have an understanding of the Safety Cases, August 2016, “A key benefit of Independent Peer principles and concepts in safety and safety management and of Review is that it allows a competent team, free from project/pro- the safety regulatory framework, standards, guidelines and codes duction pressures, the time to read the safety submission and to of practice pertaining to the subject of the submission”. think clearly and logically about the hazards and risks inherent “It is particularly important to be aware of the dangers of Peer in an activity and from this make a judgement on whether the Reviewers losing their independence and becoming part of the safety submission has demonstrated that these hazards and risks project team’s decision-making process. Peer Reviewers should are adequately controlled. Being independent from those respon- not advise projects on what decisions to make or what safety ar- sible for the production of the safety submission allows the Peer gument would be acceptable and must not provide verbatim text Review process to bypass any 'group think' mentality and any pre- to be written into a safety submission. Nevertheless, in the in- judgements on safety that may exist within production teams.” terests of efficiency, if a Peer Reviewer is aware of a better way “The Peer Reviewer must have a comparable degree of technical of doing things or something important has been missed, then competence and experience to the author of the safety submis- they should point this out in clear and unambiguous terms whilst sion. Peer Reviewers should therefore have appropriate academic, being careful not to compromise their independence when giving professional or vocational qualifications in the relevant subject such advice to a Project”.

products. Other examples are illustrated In 1834, the Lloyd’s Register of Brit- major classification societies established here below. ish and Foreign Shipping' was recon- the International Association of Classifi- stituted as a self-standing ‘classifica- cation Societies (IACS) to provide coor- In the case of certification against tion society’. Following the example, a dinated technical support and guidance a performance safety standard, unique number of Classification Societies were to the International Maritime Organiza- skills and a well-thought organizational established worldwide in 19th century: tion (IMO) and to national maritime orga- set-up are required. The results of the Bureau Veritas, Registro Italiano Navale, nizations. safety analysis, the description of the risk American Bureau of Shipping, Det Nor- mitigation measures, and the verification ske Veritas, Germanischer Lloyd and Legally, Classification Societies act of implementation of such measures are Nippon Kaiji Kyokai), followed in 20th as a “Recognized Organizations” carry- documented in a report that it is submit- century by Russian Maritime Register of ing out statutory surveys and certifica- ted to an independent peer review (also Shipping, China Classification Society, tion as delegated by national maritime called safety review panel) as the design Korean Register and Indian Register of administrations (flag administrations). In progresses. Such report is sometimes Shipping. particular: called Safety Case or Safety Data Pack- age, Safety Submission, etc. In 1948, the United Nations Interna- ƒƒ Developing technical standards for tional Maritime Organization (IMO) was design and construction of ships established to deal with maritime safety, Classification Societies traffic and environmental issues within ƒƒ Approving designs against those an international framework. In 1968, the standards In the second half of the 18th cen- tury, marine insurers based at Lloyd’s coffee house in London, developed a system for the independent inspection of ships presented to them for insurance coverage. In 1760, a committee was formed for this express purpose, the ear- liest existing result of their initiative be- ing Lloyd’s Register Book for the years 1764-65-66. The condition of each ship was classified on an annual basis. Hull condition would be A, E, I, O or U, ac- cording to the excellence of its construc- tion and its perceived continuing sound- The world oldest “safety institute” the Lloyd’s Register of ships is nearly three centuries old. Bizarrely, it all began ness (or otherwise). rather modestly in a London coffee house.

39 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

ƒƒ Conducting technical surveillance operators to develop safety programs during construction The gas and oil industry based on best-practices that are rigor- ously assessed by well-trained third- ƒƒ Performing in-service inspection and must move towards party auditors. The COS is a branch periodic survey during operation of a trade organization, thus attracting developing a notion of some criticism about its independence ƒƒ Reviewing and approving in-service (theconversation.com, 2014). modifications safety as a collective ƒƒ Performing safety research and responsibility FIA Institute for Motor Sport Safety development programs and Sustainability

The standards published by Classi- In the first three decades of the fication Societies, together with the re- collective responsibility. Industry should Formula 1 World Championship, inau- quirements set down in the various Inter- establish a “Safety Institute…this would gurated in 1950, a racing driver’s life national Conventions of the International be an-industry created, self-policing en- expectancy could often be measured Maritime Organisation (IMO) and the ma- tity aimed at developing, adopting, and in fewer than two seasons. It was ac- rine legislation of the flag states, form a enforcing standards of excellence to en- cepted that total risk was something comprehensive and coherent set of stan- sure continuous improvement in safety that went with the job (Tremayne, 2000). dards for design, construction and main- and operational integrity offshore” (Na- tenance in operation of ships. Classifica- tional Commission, 2011). In early 2011, tion Societies maintain a leading role in following the recommendation, industry A racing driver’s life all matters related to technical standards created the Center for Offshore Safety and certification activities, while national (COS), with the stated mission to “pro- expectancy could often and international governmental organi- mote the highest level of safety” for off- zations concentrate primarily on opera- shore operations through “leadership be measured in fewer tional and environmental matters. and effective management systems”. The Center for Offshore Safety helps than two seasons Classification Societies are special- ized but they operate in an industry that has evolved over centuries and therefore does not require unique competences. They are independent because they are not controlled by, and do not have in- terests in, ship-owners, shipbuilders or engaged commercially in the manufac- ture, equipping, repair or operation of ships. They are completely separated from industry because of historical rea- sons, and being favored by the market size of ships certification business. Their authority is essentially delegated from the government.

Center for Offshore Safety

On April 20, 2010 the Deepwa- ter Horizon oil rig located in the Gulf of Mexico exploded and subsequently sank killing 11 people, injuring 17, and causing the largest marine spill and en- vironmental catastrophe in history. The report of the U.S. Presidential Commis- sion that investigated the disaster made, among others, the recommendation that “the gas and oil industry must move to- The Deepwater Horizon oil rig exploded and sank killing 11 people, and causing the largest environmental catastro- wards developing a notion of safety as a phe in history.

40 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

How on earth did they change the riskiest sport into one of the safest?

They pulled apart all of their processes and equipment and changed what was happening on and around the [Formula 1] track. Jackie [Stewart] makes a pretty bold claim that, based on the numbers, is hard to argue with, “there is no doubt that Formula One has the best risk management of any sport and any industry in the world”. Far from being the preserve of overthinking pessimists, I believe that risk management is actually the place where you’ll find the bravest and hardiest of souls. People who care less about being popular and more about saving lives, businesses, and sometimes, entire communities. It is not for the fainthearted. You need to be tenacious. Backsliding can easily happen, so you need to be vigilant, too. But the rewards are potentially enormous. (The Triumph of Risk Management, Craig Thornton, Adjunct Faculty Television, Radio & Film, Syracuse University)

The turning point was the Imola Grand radioactive gases into the atmosphere. gathering, review and analysis of op- Prix of 1994 with live coverage of Roland The accident although minor in its health erating experience at all nuclear power Ratzenberger and Ayrton Senna deaths consequences, had widespread and pro- plants, coupled with an industrywide in- that forced the car racing industry to found effects on the American nuclear ternational communications network to look seriously at safety or risk the loss power industry. It resulted in temporary facilitate the speedy flow of this informa- of television rights. In the days after the closing of seven reactors and moratori- tion to affected parties” (Kemeny, 1979). Imola crashes the FIA (Fédération Inter- um on the licensing of new reactors that In response to the recommendations, nationale de l’Automobile) established significantly slowed industry for several industry established in December 1979, the Safety Advisory Expert Group, later years (history.com). the Institute of Nuclear Power Operations renamed FIA Safety Institute, to identify (INPO) as a not-for-profit organization innovative technologies to improve car The Kemeny Commission, which with the mission to promote the high- and racetrack safety, and to mandate president Jimmy Carter formed to inves- est levels of safety and reliability in the certification testing. Nowadays Formula tigate the accident recommended that operation of commercial nuclear power 1 car racing is a safe multi-billion dol- “The (nuclear power) industry should es- plants. The INPO establishes perfor- lar business of sponsorships and global tablish a program that specifies appro- mance objectives, criteria and guidelines television rights. Entertainment for fami- priate safety standards including those for the nuclear power industry, conducts lies that can be enjoyed without risking for management, quality assurance, and regular detailed evaluations of nuclear shocking sights. The institute was reor- operating procedures and practices, and power plants, and provides assistance ganized as integral part of FIA in 2016. that conducts independent evaluations” to help nuclear power plants continually and that “There must be a systematic improve their performance.

Institute of Nuclear Power Operations The nuclear power industry should establish In March 1979, a series of mechani- cal and human errors at the Three Mile a program that specifies appropriate Island nuclear generating power plant in Pennsylvania, caused an accident that safety standards including those for profoundly affected industry. management, quality assurance, A combination of stuck valves, mis- read instruments, lack of information and and operating procedures and practices, poor decisions led to a partial meltdown of the reactor core and the release of and that conducts independent evaluations

41 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Chapter 4 STANDARDS CURRENTLY USED IN COMMERCIAL SPACE PROGRAMS

“Armchair authori- realize the vast majority of standards and 4.1 ties like to discuss requirements do not show up in the NPR the “big ticket” 8705.2C Human Ratings Requirements INTRODUCTION items in the Human document, they must be searched out in Ratings Require- a hundred subordinate documents.” ments: redundan- (Hale, W. 2010) ften technical standards are seen as cy requirements Osomething different and separated for fault tolerance, from safety standards just because or minimum factor they are under the authority of differ- of safety for struc- ent organizations, Engineering, instead tures as examples. 4.2 of Safety & Mission Assurance (S&MA). Wayne Hale Real rocket build- As a matter of fact, many requirements NASA Shuttle Program ers know while UNITED STATES levied by technical standards for human- Manager (ret.) those are impor- rated systems development are aimed at tant, the real key to minimizing the safety risk. Wayne Hale, safety and success is very much more af- he commercial spaceflight industry is former NASA Shuttle Program Manager, fected by the quality of parts and myriad Tdeveloping in U.S. under some spe- made the point as follows: individual steps in workmanship of the cific constraints on the establishment of end product. These are measured against government regulations and internation- thousands of individual checks against al activities: namely legal moratorium un- the appropriate standard. So, you must til 2023 on safety regulations for humans

A A non- regulatory Commercial regulatory organization organization (FAA) that Human (NASA) that cannot Spaceflight regulates regulate ?

Suborbital Orbital

Orbital vehicles have suborbital flight capabilities, and in some cases both versions have been designed (e.g. Dream Chaser of SNC). However, while requirements for safety certification of orbital flights are available from NASA, FAA is forbidden to levy similar requirements for suborbital vehicles.

42 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

on board, and export control rules. The Differently from all other NASA pro- more, industry can use the NASA CCP moratorium was spearheaded by pro- grams, companies involved in the CCP certification program as model for devel- ponents of suborbital spaceflight fearing program own and operate their space- oping their own independent third-party imposition of extensive (and expensive) craft and infrastructure and are free to certification process. aviation-like certification test programs. design the system they think is best, and The export control rules limit instead the to use the manufacturing and business dissemination of technical information operating techniques they choose. How- outside the country because of space ever, the NASA program has to imple- technologies dual-use. ment the safety policy outlined in a dedi- 4.3 cated document (ESMDCCTSCR-12.10) Because of the moratorium on safety (NASA, 2010), and companies must meet EUROPE regulations for humans on board, cur- or exceed a pre-determined set of NASA rent U.S. legislation requires only that technical and safety requirements. In the a commercial space operator obtains a initial phase of the CCP program, NASA tandards meant for voluntary use also FAA license for public safety of launch made an inventory of such standards and Son commercial space systems were and re-entry operations. But there is one recommended them either as reference started in Europe in the early 1990’s un- remarkable exception: operators provid- baseline (meet or exceed) or as good der an initiative called ECSS (European ing commercial transportation services practices, stating that “In the course of Cooperation for Space Standards). to the International Space Station under over forty years of human space flight, the terms of NASA’s Commercial Crew NASA has developed a working knowl- In 1987, Europe started an ambi- Program (CCP) are required to obtain edge and body of standards that seek to tious human spaceflight program in- a NASA safety certificate for the safety guide both the design and the evaluation cluding Hermes spaceplane, Ariane 5 of humans on board, as foreseen by the of safe designs for space systems”. human-rated launcher, and Columbus original agreements signed by govern- Man-Tended Free-Flyer. At that time ments participating to the ISS program Safety policy and technical stan- the European Space Agency (ESA) had (NASA OIG, 2016). In U.S. a de-facto dards used by NASA Crew Commercial a safety standard, PSS-01-40, based double regulatory regime exists (no- Program represent an excellent refer- on Shuttle/Spacelab experience. Be- regulation/full-regulation) for safety on- ence from which U.S. commercial hu- cause of the close involvement in those board space vehicles depending if the man spaceflight industry can develop new programs of other European space customer is a private entity or NASA policies and standards to be used on agencies, in particular the French Space ISS Program. non-NASA suborbital and orbital com- Agency CNES, and because of industry mercial spaceflight programs. Further- interest to establish common standards

NASA Commercial Safety Certification Document

The safety policy document ESMD-CCTSCR-12.10 “Commercial Crew Transportation System Certification Requirements for NASA Low Earth Orbit Missions” includes four parts:

• Certification: outlining scope and elements of the • Safety Requirements: system capabilities in certification process: validation of the technical and three primary categories of system safety, crew/hu- performance requirements/standards; verification man control of the system, and crew survival/aborts. of compliance with requirements/standards; consid- eration of operational experience; and acceptance of • Standards: in the fields of engineering, safety, and residual technical risk due to hazards, waivers, non- medical/health, subdivided in those that must either compliances, etc. be met as written, or equivalent alternate proposed to NASA Technical Authority for approval, or represent- • Documentation: compilation of plans and docu- ing recommended best practices. ments required for submittal at project milestones to collectively prove that the system meets technical re- quirements and is safe.

43 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

for their commercial satellite business, a joint standardization initiative was ECSS Disciplines launched to create a single system of European space standards. The aim was to improve industrial efficiency and com- ECSS-S-ST-00C ECSS-S-ST-00-01C petitiveness, by making available a single System description Glossary of terms set of technical, safety/QA, and man- agement standards to satisfy govern- ment and commercial contractual needs without differentiation. In the autumn of Space project Space product Space engineering Space sustainability 1993, European agencies and industry management branch assurance branch branch branch partners signed the ECSS terms of ref- erence which defined the framework and M-10 discipline Q-10 discipline E-10 discipline U-10 discipline the basic rules of the ECSS system, and Project planning and Product assurance System engineering Space debris concurrently the space agencies commit- implementation management ted to gradually discard and replace their M-40 discipline Q-20 discipline E-20 discipline U-20 discipline own standards with ECSS standards in Configuration and Electrical and optical Planetary protection information management Quality assurance engineering all future programs. In accordance to the

ECSS terms, the European space indus- M-60 discipline U-30 discipline try assumed from the outset an equal Cost and schedule Q-30 discipline E-30 discipline Space situation management Dependability Mechanical engineering awareness rank in the direction and development of

ECSS standards, and held an equal share M-70 discipline Integrated logistic Q-40 discipline E-40 discipline of voting rights on their approval. support Safety Software engineering

Several standards in the ECSS sys- M-80 discipline Q-60 discipline E-50 discipline tem were an adaptation of previous Risk management EEE components Communications agencies standards, but many new stan- dards were developed in the course of Q-70 discipline Materials, mechanical E-60 discipline the years. The ECSS technical standards parts and processes Control engineering were extensively used for designing Eu- ropean elements, facilities and payloads Q-80 discipline E-70 discipline Software product Ground systems and of the International Space Station, in- assurance operations (as of 6 May 2014) cluding in particular Columbus module and ATV cargo transportation vehicle.

The previous ESA PSS-01-40 safety standard was the basis for the ECSS-ST-Q-40 “Safety”. This standard is essentially a statement of safety policy. It includes four main parts:

• Safety Program: planning, organization, roles and re- • Safety Analysis Requirements and Techniques: hazard sponsibilities, risk management, safety review pro- analysis, safety risk assessment, supporting analyses cess, approval authority, training/awareness, docu- mentation • Safety Reporting and Verification: hazard reporting, verifications planning and methods, hazard close-out • Safety Engineering: policy and principles, risk reduction and control, failure tolerance, design for minimum risk, safety-critical functions, operations safety

The ECSS-ST-Q-40 standard identifies three roles: supplier, customer, and safety authority. The supplier is the system developer. The safety authority is the relevant government organization having ultimate safety responsibility. The customer could be an agency, an industrial customer, a space operator, or a recognized third party.

44 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Chapter 5 ESTABLISHING THE SPACE SAFETY INSTITUTE

extended until 2023. The CSLAA just re- 5.1 quires operators to provide prospective Within a decade, customers with written information about WHICH REGULATORY the risks of spaceflight and a statement human spaceflight that the U.S. government has not certi- FRAMEWORK AFTER fied the vehicle as safe for carrying crew operation in Low and passengers. For the following 15 2023? years the discussion about commercial Earth Orbit (LEO) may human spaceflight safety standards has revolved mainly around suborbital tour- become predominantly n December 23, 2004, President ism vehicles and has been anchored OBush signed the Commercial Space to the old-fashioned concept that the commercial Launch Amendments Act of 2004 (CS- safety requirements for a new system LAA). The CSLAA made the Department can be established only when enough defined in absolute and objective terms. of Transportation and the Federal Avia- operational experience is accumulated. The other question, how to deal with tion Administration (DOT/FAA) respon- A lose-lose situation because the lack NASA procurement of commercial crew sible for regulating commercial human of safety rules leaves the customer po- transportation services to the Interna- space flight. The law established a mora- tentially unprotected while defeating the tional Space Station (ISS), was settled by torium (also called ‘learning period’) for fundamental right of industry to operate 2010 because the ISS Inter-Governmen- safety regulations of flight participants within a stable set of norms, being safety tal Agreement (IGA) prescribes a role for (crew and passengers) of 8 years, later an attribute that cannot be otherwise NASA as safety certification authority for those vehicles in accordance with agreed safety requirements and processes.

While the initial enthusiasm for sub- orbital spaceflight seems to be fading away following continuous delays, ac- cidents and bankruptcies, the sector of potential space commercial services is widening and gaining momentum. Within a decade, human spaceflight operation in Low Earth Orbit (LEO) may become predominantly commercial. There could be also important elements of private participation to government Moon and Mars exploration missions, which be- cause of high costs could also include in- ternational partners (see ESA/Airbus DS cooperation with NASA/LMCO on Orion spacecraft development). The suborbital industry may evolve away from space tourism into a similar mixed-users envi- ronment (see recent agreements to buy/ operate Virgin Galactic SS2 in Italy and UK), and become more safety-conscious The dream of flying to the boundary of space didn’t get much farther than Amsterdam for XCOR, where a Lynx in the perspective of developing future model was part of a marketing campaign. (credit: Air&Space Smithsonian/Branko Collin ) point-to-point transportation vehicles.

45 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Therefore, there is a strong need to es- interplanetary, etc.) and for any level of a safety standard would be produced tablish harmonized safety requirements system complexity, from simple cargo that almost any developer/operator and a system of recognition of safety item to a Moon base. However, verifica- could readily achieve. An additional con- certifications to better fit commercial tion of compliance with a performance cern is that the SDO’s committee could space programs into those emerging safety standard is a crucial and complex be heavily influenced by those compa- programs and markets. task that requires interdisciplinary com- nies whose ability to serve as a reliable petences and multidisciplinary review standard-setter is doubtful being princi- We have seen in the previous chap- teams with proficiency levels equal or pal lobbyist and public policy advocate ters the long and sometimes painful pro- better than design teams. For the current fighting minimum safety regulations. cess by which safety rules and organi- Commercial Crew Program (CCP) those Another concern is the relatively easy zations have matured at NASA. We have competencies and teams are provided admission to serve as expert member seen also the different schemes in use in by NASA, but this happens under rather on those committees, even when lack- other industries to perform safety stan- unique circumstances. There is no ob- ing design and/or operation experience, dardization and conformity assessment vious and simple substitute for NASA’s and minimum familiarity with modern of commercial products. We will now dis- technical capabilities for certifying non- risk-based design techniques. Finally, cuss the possible regulatory frameworks NASA commercial human systems, un- the integrity of commercially-based third that could be applied to commercial less NASA is tasked to perform such role party certification, could also be a ques- human spaceflight systems when the in support of FAA, which is out of NASA’s tionable. Their selection could be driven CSLAA moratorium expires in 2023. institutional scope. by cost considerations and “friendly” attitude. Currently there is no industrial There are four possibilities: sector dealing with safety-critical sys- tems (aviation, nuclear power plants, 1. Government regulations Prescriptive standards maritime constructions, etc.) in which such approach is used. 2. Consensus standards and are inadequate third-part certification Unregulated self-policing. This is for highly innovative essentially the scheme used by the IAQG 3. Unregulated self-policing (International Aerospace Quality Group) and fast evolving for the Quality Management System 4. Regulated self-policing certification in accordance with AS9100, system developments the quality standard used also in space programs. The IAQG membership is for companies and institutions and not for Government regulations. This Consensus standards and third- individuals. The IAQG is separate and framework is essentially the same cur- party certification. This is essentially independent from trade organizations. rently used in civil aviation. FAA would is- the scheme used for the ISO 9001 Qual- The IAQG provides strategic planning sue safety regulations and conduct rele- ity Management System certifications. and direction for the standardization vant “spaceworthiness” certifications the According to such scheme a consensus activities performed via a SDO (SAE). In same way it does for airworthiness certi- standard developing organization (ISO, addition, the IAQG is directly involved fications. Unfortunately, such framework ASTM, SAE, etc.) would set-up a com- in the accreditation and performance is workable with relatively limited human mittee (of individuals) to draft a stan- evaluation of the organizations (third- resources and skills of a regulatory body dard on commercial human-rated space parties) performing conformity assess- only if prescriptive standards (i.e. rules- systems, which would then be balloted/ ment and certification. The IAQG model based design) are available, which is not approved in accordance with the SDO’s is characterized by the participation of the case for space program. We have rules. Then commercial third-parties all major aerospace stakeholders world- seen in previous chapters that prescrip- could offer conformity assessment ser- wide, sometimes fierce competitors in tive standards are inadequate for highly vices and issue conformity certificates. the market (e.g. Boeing and Airbus), and innovative and fast evolving system de- Such approach has many drawbacks. In by their active commitment to cooper- velopments. Since the eighties, defense particular, due to the lack of overarching ate to continuously improve the quality and space programs have been the fore- policies, goals and regulatory oversight, performance of the supply chains. The runner of the modern use of performance and considering that there are already only drawback of applying such scheme safety standards (i.e. risk-based design). commercial space systems (suborbital) to system safety, is the exclusion of any The key advantage of performance stan- in the final stages of development, one regulatory top function in the direction. dards is that they are to a large extent can expect that the safety standard generic and “configuration neutral”, in could fail to reflect “best-practices” (i.e. Regulated self-policing. This is es- the sense that the same standard can those used/proven in government pro- sentially the scheme according to which be applied to the development of a vari- grams) and express instead the “lowest the Institute of Nuclear Power Opera- ety of space systems (suborbital, orbital, common denominator”. In other words, tions and the Center for Offshore Safety

46 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Allocation of Tasks, Roles and Responsibilities

COMPANY SAFETY INSTITUTE REGULATORY BODY INT. ORG

POLICIES - advise develop coordinate

STANDARDS implement develop validate -

CERTIFICATION data perform oversight -

PROCESSES establish/execute establish/execute establish/execute -

AUDITS - Company Safety Institute -

COMPETENCE

INDEPENDENCE

AUTHORITY

The regulatory body has the authority to define the overall safety goals and certification program policies. The regulatory body also defines criteria for approving the safety institute as 'recognized organization', and decides on delegated tasks and responsibilities. Development of standards in line with mandated policies, and performance of (safety) certification reviews are the key responsibility of the space safety institute. Implementation of standards, safety-case data submission to the SSI, and safety management system processes are the responsibility of the developer/operator. Refer to Annex D for further considerations about essential features of a self-policing organization (source: National Commis- sion on the BP Deepwater Horizon Oil Spill and Offshore Drilling)

where established and operate follow- 5.2 vation. A process that allows maximum ing the findings and recommendations design freedom and quick and efficient of the U.S. presidential commissions BUILDING THE SPACE reaction to technological advancement. of 1979 and 2010 respectively. Com- For such purpose the Space Safety In- panies cooperate through the institute/ SAFETY INSTITUTE stitute would be organized around two center towards the safety common concepts: “regulated self-policing” and goal by issuing standards and verifying “safety-case”. The “safety-case” ap- compliance, under government broad or commercial human spaceflight to proach leaves the definition of (safety) direction and control. This is also the Fflourish and expand, industry must design solutions and operational proce- scheme proposed in this document for build on the experience accumulated dures to the developer/operator, while the establishment of the Space Safety until now in government space programs placing the responsibility for validation Institute. It combines the advantage of and cooperate between them, with insti- of system’s compliance into the hands empowering the stakeholders (in the tutional customers, and with regulatory of an independent team of experts. In- case of space, industry, FAA, and NASA bodies to advance safety as common stead the “regulated self-policing” re- as customer) to direct and fund the strategic goal. For such purpose, the In- gime gives to the stakeholders’ commu- resources needed to achieve rapid re- ternational Association for the Advance- nity the responsibility to define the safety sponse flexibility in standardization and ment of Space Safety (IAASS) and the (performance) standards and organiza- conformity assessment activities, with International Space Safety Foundation tional processes that must be followed affordable access to shared skilled re- (ISSF) are promoting the establishment to ensure that government issued safety sources, under the assurance of pursu- of a Space Safety Institute (SSI). The SSI policies and goals are met. ing public interest provided by the regu- main mission would be to establish and latory body involvement. manage a safety certification process for The Space Safety Institute would commercial human rated systems which be somehow a “middle-man” between is lean, effective, and does not stifle inno- the regulatory body and the commercial

47 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

The Space Safety Institute would be organized around two concepts: “regulated self-policing” and “safety-case”

space companies for the benefit of both parties. The SSI would provide standard- ization and safety certification services as a “recognized organization” approved by and operating under oversight of the regulatory entity. The Space Safety Insti- tute would include:

1) Standardization secretariat: for detailed annual planning of stan- dardization activities, issuing of op- erating procedures, and monitoring progress of working groups activi- 5.2.1 cial space systems safety and technical ties, publications of standards. standards. However, for safety, a single Standardization NASA standard does not exist. Safety re- 2) Safety review panel: for reviewing quirements developed since the Shuttle certification data packages, ap- activities program were either embedded in system proval of hazard controls/verifica- specification or issued as program safety tions, and providing recommenda- specification (e.g. SSP 50021, the Inter- tions to safety authority on waivers/ t NASA a large body of knowledge national Space Station safety standard). deviations to policy requirements Aexists in the form of specifications, The IAASS has performed a compilation standards and handbooks, which has of those safety requirements (see IAASS- 3) Safety Management System au- been accumulated in several decades of SSI-1700) such to represent an envelope diting function: for periodically space programs. However, they cannot of the current best-practices. auditing companies’ safety orga- be directly used in commercial programs nizations, design, operations and because on one hand the language used Participation to SSI standardiza- management processes, safety ca- reflects customer-contractor relationship tion activities would not be restricted to pabilities and performance. and the organization of specific govern- SSI Partners but would be open to any ment programs, while on the other hand, company, government organization, and The Space Safety Institute would they were established internally to serve non-government organization involved in also coordinate, support and promote the agency’s own ultimate objectives space studies, developments, and op- research in the field of space safety engi- and policies. erations, or procuring commercial space neering, support educational programs, systems and services. and provide professional training oppor- An inventory of such technical stan- tunities to members. dards was already performed by NASA as The tenets of the SSI standardization recommended practices for possible use activities are competence, inclusiveness, Public safety, space traffic manage- by companies involved in the Crew Com- use of proven best-practices as starting ment, environment protection and in- mercial Program. Those standards could point, and commitment to continuous ternational coordination would remain be reviewed, adapted and re-issued as improvement of system safety engineer- outside the scope of the Space Safety commercial standards with relatively ing and management practices. Details Institute, and entirely under the responsi- minor effort. They would represent the on the SSI initiative are provided by a bility of the relevant regulatory authority. starting reference for the development separate document in the form of draft of a wider and coherent set of commer- Memorandum of Understanding (MoU).

48 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Flight Readiness (CoFR) to the regulatory cal interchange meeting. The Executive 5.2.2 organization (FAA). Secretary would draft and record action items for review and concurrence by the Safety Review Panel SSI SRP Chair and by the system devel- Safety Review Panel Chair oper/operator. An important task of the Executive Secretary would be the prepa- he SSI Safety Review Panel (SRP) will The SSI SRP Chair would be a staff ration of the annual plan of panel mem- Tbe responsible for conducting flight of the SSI and would be appointed by bers resources required, and to issue the safety reviews. The SSI SRP will assist the SSI Board. The SSI SRP Chair would relevant work orders. the developer/operator in assuring that define and implement the flight safety safety critical systems, subsystems and review processes for the system under operations are appropriately designed certification, including assessing compli- Safety Review Panel Members and verified. Specifically, the SSI Safety ance with safety requirements and poli- Review Panel will perform the following cies to assure safety of the vehicle, crew, The members of the safety review functions: and other interfacing systems. The SSI panel would be independent contrac- SRP chair would have the authority to tors of the Space Safety Institute, They a) Assisting the developer/operator in approve individual phase safety review would be proposed by SSI management interpreting safety requirements in a completion by signature of the relevant or SSI Partners, and selected/appointed manner consistent with applicable safety-case reports and to make panel by the SSI Board, based on criteria such requirements, and providing recom- decisions, considering recommenda- as competence, lack of conflict-of-inter- mendations for implementation. tions from the other panel members of est, etc. The members of the Safety Re- the safety review panel. view Panel would be engaged through b) Conducting safety reviews as ap- work-orders for discrete durations of propriate during various phases of time. The members would be experts in system development and operation. Safety Review Panel Executive the following disciplines (non-exhaus- Secretary tive list): safety & mission assurance, c) Evaluating changes to system that operations (crew operations, robotic either affect a safety critical sub- The SSI SRP Executive Secretary operations, proximity operations, etc.), system or create a potential hazard would be a staff of the SSI and would mechanical engineering (structures, to interfacing systems, or crew. be appointed by the SSI Board. The Ex- pressure systems, mechanisms, materi- ecutive Secretary would ensure consis- als, etc.), electrical/avionics (batteries, d) Evaluating safety analyses and tent implementation of safety process power distribution, GN&C), computer safety reports, and processes Non- requirements as the principal adminis- systems, propulsion, pyrotechnics, life Compliance Reports. trative officer for the SSI SRP. The Ex- support & habitability, toxicology, medi- ecutive Secretary would maintain the cal representative. The member would e) Ensuring the resolution of system administrative records of the panel, co- receive at the time of the first appoint- safety issues. ordinate the administrative check of in- ment a dedicated training by the SRP coming data, and ensure delivery of data Executive Secretary on the safety re- At the successful conclusion of safe- to SRP Members. The Executive Sec- view processes and requirements, ty reviews cycle, the SSI Safety Review retary would coordinate and schedule and on panel members responsibilities Panel Chair would submit a Certificate of formal flight safety reviews and techni- and duties.

SPACE SAFETY INSTITUTE

Educational & Safety Review SMS Research Standards Professional Panel Audits Program Training

49 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Chapter 6 SAFETY RESEARCH PROGRAM

Gehman stated: “The safety organiza- 6.1 tion sits right beside the (Shuttle) per- son making the decision, but behind the NESC safety organization there is nothing there, Behind the safety no people, money, engineering, exper- tise, analysis … there is no ‘there’ there.” organization he Space Safety Institute research Tprogram operation would be modeled NASA responded within weeks to there is nothing there, to some extent after the NASA Engineer- this statement announcing the forma- ing and Safety Center (NESC). tion of the NASA Engineering and Safety no people, money, Center or NESC to provide programs an After the Shuttle Columbia accident, alternate perspective on difficult techni- engineering, expertise, the investigation was entrusted to the cal issues. The NESC fills this need by CAIB (Columbia Accident Investigation bringing together technical experts from analysis Board) chaired by Admiral Harold Gehm- across NASA, industry, other govern- an. As the investigation progressed, the ment agencies and academia and lever- CAIB Chairman provided briefings and aging their expertise to solve problems. tional groups inside NESC are the Prin- updates to NASA, the U.S. Congress, cipal Engineers Office, providing study and the American public. On one such The NESC is made of a core orga- leadership and management, particularly occasion in July 2003, speaking pub- nization composed by Director, perma- for longer term, multidisciplinary assess- licly following a Congressional briefing, nently assigned technical personnel, and ments, and the Technical Fellows Office. management offices, and a network of Technical Fellows are recognized tech- on-call experts remotely located. The nical leader in their specific discipline. NESC operates in a “tiger-team” model Each TF maintains a Technical Discipline when conducting studies and assess- Team consisting of experienced subject ments, forming a dedicated team of matter experts from other NASA Cen- subject matter experts to address a well- ters, U.S. Government Agencies, aca- defined technical issue. The key func- demia, and industry.

The NESC NRB decides on accepting new studies or assessments according to the following priorities:

1) Technical support of projects in the flight phase

2) Technical support of projects in the design phase

3) Known problems not being addressed by any project

4) Work to avoid potential future problems

5) Work to improve a system Admiral Harold W. Gehman,

50 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Launch Abort System (MLAS). The NESC undertook the Max Launch Abort System project to develop and flight-test an alter- native launch abort (escape) system de- sign, as compared to NASA’s traditional tower-based design used during Projects Mercury and Apollo.

6.2 THE SPACE SAFETY INSTITUTE RESEARCH CENTER

he Space Safety Institute Research TCenter (SSIRC) research program Max Launch Abort System test, July 8, 2009 at the NASA Wallops Flight Test Facility. would have two main objectives:

1) supporting on going commercial The NESC Review Board (NRB), results must be delivered to the request- projects risk assessments, as the composed by Technical Fellows and se- er before the final report is complete, the need arises; nior NESC managers as voting members, NESC Review Board may also review evaluates and approves each technical and approve FORs separately from the 2) development of advanced risk study and plan, monitors assessment report, with the expectation that they are controls. progress, and reviews and approves the final and will not change. final report and recommendations to en- The SSIRC would make available, sure technical rigor and accuracy. The NESC, in addition to assessments upon request, extra expert support to the addressing near term mission needs, SSI Safety Review Panel and to commer- Each final report is peer-review in- has undertaken several large-scale, cial developers/operators for the evalu- ternally and externally to the NESC, and risk-reduction projects for major NASA ation of special safety issues or for the receives final scrutiny and approval from programs that, for one reason or anoth- performance of independent assessment the NESC Review Board before publica- er, the program could not undertake on of complex cases, like unresolved anom- tion. Since in some cases, assessment its own. These projects include the Max alies or “equivalent safety” solutions.

Election into the SSI Technical Fellowship would follow a formal process. Prospective Technical Fellows would be nominated by SSI Members, and evaluated by the SSI management based on five criteria:

1) Technical knowledge and judgment

2) Creative problem solving and innovation

3) Technical leadership, advising and consulting

4) Capability as a teacher and mentor

5) Technical vision

51 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

“Equivalent safety” is a key feature of per- formance-oriented safety requirements Space Safety Institute Research Center to allow maximum flexibility and freedom to designers. “Equivalent safety” refers Matrix Organization to conditions that do not meet specific safety requirements in the exact manner specified. However, the system design, DIRECTOR procedure, or configuration satisfies the intent of the requirement by achieving a REVIEW BOARD comparable or higher degree of safety. Criteria are based on: (a) use of alterna- tive methods/controls; (b) utilization of procedures, protective devices, pre-flight TECHNICAL FELLOWS PRINCIPAL verification activities, and crew experi- OFFICE ENGINEERS OFFICE ence base; (c) reduced time of exposure; (d) likelihood/probability of additional fail- ures after loss of first control/inhibit; re- Technical Technical Technical Project Project Project duction of hazard category, and/or other Discipline Discipline Discipline Team #1 Team #2 Team #... factors such as minimum of single FT with Team #1 Team #2 Team #... a robust design. “Equivalent safety” re- quires careful consideration and need to be investigated on a case-by-case basis. However, the lessons learned during such Space Safety Institute Research Center Products investigations represent an important knowledge data base to be maintained in Assessment Engineering Reports support of the safety review panel. The detailed engineering and analyses generated from each assessment would be captured in comprehensive engineering reports and converted into SSI Technical Memorandums The SSIRC would be made of a (TM) for permanent archive and access by all SSI Partners. core organization composed by direc- tor, permanent technical personnel, and Technical Bulletins management offices, and a network of Occasionally, significant and noteworthy data found during SSIRC assessments would be on-call experts remotely located. The turned into one-page technical bulletins. The bulletins condense new knowledge or best SSIRC would operate in a “tiger-team” practices into quick and easy reads, while also linking to additional reference material. model when conducting studies and as- sessments, forming a dedicated team Lessons Learned Safety lessons learned database would be used to capture important and broadly applicable of subject matter experts to address a lessons learned. In some cases, the lesson may be significant enough that it would be used well-defined technical issue. The key as input to update an SSI standard. functional groups inside the SSIRC would be the Principal Engineers Office, Safety Review Panel Support Reports providing study leadership and manage- Special reports prepared in support of the SSI Safety Review Panel, for their internal use. ment, particularly for longer term, mul- The reports would analyze new, complex or unique design solutions for acceptability tidisciplinary assessments, and the SSI with reference to an applicable generic safety requirement in the standard. The detailed Technical Fellows Office. SSI Technical engineering and analyses generated from each assessment would be captured in Fellows would be recognized technical comprehensive engineering reports for internal use by the SRP. leader in their specific discipline. Each TF would maintain a Technical Discipline Team consisting of experienced subject matter experts from NASA, U.S. Govern- dations to ensure technical rigor and accu- The budget of the SSIRC would be ment Agencies, academia, industry and racy. In case of an assessment performed managed in accordance to the principle professional associations. on behalf of a company, a company nom- that the activities performed by the per- inated representative will be included as manent technical personnel would be The SSIRC would establish a Review voting member of the Review Board for charged as SSIRC costs, while those Board (RB), composed by SSI Technical the relevant assessment plan and techni- performed in support of a specific (com- Fellows and senior SSIRC managers as cal report. The publication and distribution mercial) project, either upon SRP request voting members, to evaluate and approve of reports would be subjected, in princi- or as request by a company, would be each technical study and plan, monitors ple, to the same clauses of confidential- charged to the company, as per dedi- assessment progress, and reviews and ity applied for the activities of the safety cated contract. approves the final report and recommen- review panel.

52 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Chapter 7 SAFETY EDUCATION AND PROFESSIONAL TRAINING

Training is much more short term and 7.1 typically takes days to a week or two Space system safety to complete. AN UNANSWERED engineering methods Space system safety engineering NEED methods and risk management tech- and risk management niques are not generally taught in depth in aerospace engineering schools. ince its inception, the International techniques are not In the early times of space programs, SAssociation for the Advancement after the Apollo 1 accident, engineers of Space Safety (AASS) has identified generally taught in had to gain a broad understanding of education and professional training as multidisciplinary system safety aspects key enhancer of space safety. Training depth in aerospace such to be able to perform integrated is different from education. Several high analyses, without the benefits of any technology organizations clearly make a engineering schools specialized education background or key distinction between the concepts of professional training. Knowledge was education and training. developed through internal information exchanges, brain storming, discussions, ƒƒ We accept the concept that educa- gram prepares individuals for careers and short seminars. Later those pioneer tion is “instruction and study focused and includes practice in critical and safety engineers started teaching new- on creative problem solving that does creative thinking that will in many comers in a sort of master-to-apprentice not provide predictable outcomes. ways last throughout a career. relationship, usually with much focus on Education encompasses a broader administrative tasks, which represented flow of information to the student ƒƒ We also accept that training can be the entry level into the safety job. As and encourages exploration into un- defined as “instruction and study fo- the system engineering community be- known areas and creative problem cused on a structured skill set to ac- comes increasingly aware that safety solving”. Graduate level education quire consistent performance. Train- must be designed-in from the very be- requires time to complete and often ing has predictable outcomes and ginning or risk escalating project costs, culminates with an original research when outcomes do not meet expec- schedule delays, and a pile of safety endeavour. Such an educational pro- tations, further training is required.” non-compliances, the need for safety

IAASS has published four unique textbooks in the field of space safety

53 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

how”. An engineer can be trained about 7.2 how to perform a hazard analysis or how to estimate the level of risk. Such EDUCATIONAL knowledge is required when the simple knowledge about the action to be taken, AND TRAINING which is the essence of “know-what” knowledge is insufficient, and instead a IAASS publishes PROGRAMS process must be learned about how to a quarterly journal establish the actions to be taken (as part of design, manufacturing or operations). he effective education and training For example, this could be the case of education and training is being felt not Tof professionals in the space safety learning which rules to follow to design a only by the safety people but by the en- field depends on the availability of rel- spacecraft to prevent air leakage. Finally, tire project team. evant and up-to-date academic and the third level of knowledge, the highest, training courses in all areas related to is the “know-why” knowledge. At this In 2009 the IAASS started the publi- space safety. The aim of the SSI educa- level, an individual has a deep under- cation of university textbooks in the field tion and training programs is to create standing of causal relationships, interac- of space safety, The first book, “Safety opportunities for and to manage the “cir- tive effects and the uncertainty levels as- Design for Space Systems”, was fol- cular” transfer of knowledge, from space sociated with issues and problems. This lowed in 2011 by “Space Safety regula- agencies to industry and academia, and will usually involve an understanding of tions and Standards, then in 2013 “Safe- vice-versa. We can distinguish differ- underlying theory and/or a range of ex- ty Design of Space Operations”, and ent levels of knowledge transfer: “know perience that includes many instances more recently “Space Safety and Human what,” “know how” and “know why”. of anomalies, interaction effects, and ex- Performance” (2018). The “know what” knowledge provides ceptions to the norms and conventional awareness of issues and problems and wisdom of an area. The Space Safety In- The IAASS unique textbooks are what action to take when one is pre- stitute should provide professional train- widely considered to be essential ref- sented with them. An astronaut on the ing courses, focused on “know what” erence for those that engage in formal international space station trained about + “know how”, and undergraduate and study of space safety and represent a what to do in case of air leakage and postgraduate university levels courses, good foundation on which to build the other emergency situations acquires a focused on “know how” + “know why”. SSI educational and professional train- “know-what” level of knowledge. The Annex C provides an outline of the SSI ing programs. next higher level of knowledge is “know- educational and training programs.

Remote Learning Center (Courtesy: University of Southern California)

54 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Annex A COMMENTS ON THE HOUSE FLOOR UPON INTRODUCING A BILL TO ENHANCE THE SAFETY OF COMMERCIAL SPACE FLIGHT By Rep. James Oberstar Tuesday, February 8, 2005

r. OBERSTAR. Mr. Speaker, mature air transportation industry. Mtoday I have introduced a bill Specifically, although my bill would to enhance the safety of commer- require that FAA include, in each li- cial space flight by ensuring that cense it issues, minimum standards the Federal Aviation Administration to protect the health and safety of (FAA) has the authority it needs to crews and space flight participants, protect the safety of passengers of it would further require that, in im- the emerging commercial space in- posing these standards, FAA must dustry. take into account the “inherently risky nature of human space flight.” Mr. Speaker, I support com- My bill would give the FAA the flex- mercial space exploration and the ibility to create a regulatory struc- commercial space industry, but ture governing the design or opera- not at the expense of totally ignor- tion of a launch vehicle to protect ing safety. The Commercial Space the health and safety of crews and Launch Amendments Act of 2004, space flight participants as is nec- P.L. 108-492, prohibits the Secretary essary, without having to wait for a of Transportation from issuing safety catastrophic failure to occur. design and operating regulations or even minimal safety requirements for Mr. Speaker, safety regulation individual licenses for the next eight need not be incompatible with devel- years unless there is a potentially oping new technology. For example, catastrophic incident. although FAA has closely regulated totally banning any safety requirements, aircraft manufacturing since the 1920’s, The current statutory language except in post-accident circumstances this regulation has not prevented major amounts to, in essence, the codification where lives have already been lost. Under technological progress, including the de- of what has come to be known in avia- the Act, the FAA would be prevented from velopment of jet aircraft in the 1950’s and tion safety parlance as the “Tombstone requiring even the simplest, least expen- all-composite general aviation aircraft in Mentality.” For years, both I and many of sive enhancements to protect safety of recent years. We can and should pro- my colleagues on the Aviation Subcom- passengers on these space flights. tect the safety of passengers on space mittee have criticized the FAA for wait- flights in this new and emerging industry, ing until after a disaster to take safety Mr. Speaker, my bill would amend without placing unreasonable limitations actions, and have urged more proactive the Commercial Space Launch Amend- on industry development. I urge my col- safety oversight. ments Act to give the FAA the authority leagues to join me in working to pass this and flexibility to establish minimum safe- important legislation. Supporters of the Commercial Space ty regulations. My bill would not preclude Launch Amendments Act argued that innovation and, contrary to the claims of NOTE: The Bill did not pass. Hon safety regulation would discourage ex- supporters of the Act, my bill would not James L. Oberstar became two years perimentation and innovation. However, require FAA to impose the same degree later Chairman of the House Transporta- the Act went well beyond these objec- of regulation on the developing space tion and Infrastructure Committee from tives and essentially tied FAA’s hands by travel industry that is imposed on the 2007 to 2011.

55 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Annex B “SAFETY IS NOT PROPRIETARY” STATEMENT TO THE NATIONAL COMMISSION ON THE BP DEEPWATER OIL SPILL AND OFFSHORE DRILLING By Rex Tillerson, Chairman and Chief Executive Officer Exxonmobil November 9, 2010

merica’s oil and natural gas resourc- share ExxonMobil’s approach to safety, this desire into action. The answer is not Aes are the foundation of our nation’s operational integrity and risk manage- found only in written rules, standards economy and our standard of living, and ment. Many would say, especially now, and procedures. While these are im- it is essential that we ensure the safe that energy companies must make safe- portant and necessary, they alone are production of these resources. ty a “top priority” — but I believe that not enough. a commitment to safety must run much This country — as well as the global deeper than simply being a “priority.” The answer is ultimately found in energy industry — will benefit from a a company’s culture — the unwritten full understanding of the causes of the A company’s priorities can — and standards and norms that shape mind- Deepwater Horizon incident. I am confi- do — evolve over time depending on sets, attitudes and behaviors. Compa- dent that the commission’s findings will business conditions and other fac- nies must develop a culture in which the help advance our goal, which is to en- tors. A commitment to safety therefore value of safety is embedded in every sure that all our nation’s energy facilities should not be a priority, but a value — a level of the workforce, reinforced at ev- are operated at the highest standards value that shapes decision-making all ery turn and upheld above all other con- of safety. the time, at every level. siderations.

So, I am grateful for the chance to Every company desires safe opera- I’ve been asked today to explain how come before the commission today to tions — but the challenge is to translate ExxonMobil approaches these critically

56 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

important areas of systems and culture progress to be achieved, its impetus We expect our contractors to be as when it comes to safe operations and had to come from within the company. knowledgeable and conversant with our risk management. We could not have government impose OIMS processes as our own employ- a safety culture on us, or hire someone ees. Not every company has this ex- to do it for us. Experts and consultants pectation, but we have found that when OIMS do provide a valuable service, but for everyone in the workplace speaks the an organization to change its culture, same language of safety — employees The evolution of ExxonMobil’s safe- change must come from the inside- and contractors alike — everyone can ty culture dates back to the 1989 Val- out, not the outside-in. You cannot buy work collaboratively, safely and effec- dez spill. As I have said before, Valdez a culture of safety off the shelf — you tively. was a low point in our history. It was a have to craft it yourself. traumatic event, with enormous con- You may have heard the phrase: “If sequences for all involved. But it also So we began. We began by creating you can’t measure it, you can’t manage served as a catalyst and a turning point a framework that puts our safety com- it.” And it’s true. And that is why Exxon- which prompted our management to mitment into action. Today, that frame- Mobil measures and analyzes its safety completely reevaluate how ExxonMobil work is called the Operations Integrity performance — all the time, all the way understands and manages risk. Management System, or OIMS for short. down to every business level. We record not just our injuries, but we record our That is not to say that, prior to Val- Because OIMS is multi-faceted, it near misses and our close calls. Our dez, we did not take safety seriously. can be hard to describe briefly. Here are goal is not just to analyze safety inci- ExxonMobil had been in business for the basics: OIMS is a rigorous 11-point dents after they happen, but to identify more than 100 years, and we had al- set of elements designed to identify risks and risky behaviors before they ways taken steps to maintain safe op- hazards and manage risks. Its frame- lead to a safety incident. The more ele- erations as risks changed and energy work covers all aspects of safety; man- ments of risk to be managed in an ac- technologies evolved. agement leadership and accountability; tivity, the more frequently we test, mea- design, construction and maintenance sure and analyze the safety approach in We were proud of our safety record. of facilities; emergency preparedness; that activity. We believed, as our safety credo at the management of change; assessment of time stated, that all accidents and inju- performance; and, of course, thorough More broadly, OIMS requires us to ries are preventable. Like many compa- inquiries into accidents and incidents. audit the health of the overall safety nies, we worked to meet or exceed all approach in all of our operating envi- industry safety standards, trained our OIMS guides the activities of each ronments, on a regular basis. Impor- employees in safety procedures, and of ExxonMobil’s more than 80,000 em- tantly, these audits at ExxonMobil are tracked certain metrics that measured ployees, as well as our third-party con- performed not only by trained safety our success. But we did not have a tractors, around the world. Over time, it personnel, but by cross-functional, comprehensive, systematic view of this has become embedded into everyday cross-regional teams drawn from all aspect of our business that we have to- work processes at all levels. over our global organization. In this way, day. all employees are responsible for each Through OIMS, ExxonMobil moni- other’s safety. Also, the knowledge em- And so, in the early 1990s, Exxon- tors, benchmarks and measures all ployees gain by participating in these Mobil’s management undertook what aspects of our safety performance. Its audits is taken home to their jobs, and I consider to be a visionary approach. structure and standards are shared and spread throughout the organization. The goal was to wholly reorganize the communicated the world over. One of company to make safety — of people, the greatest benefits of OIMS is that it facilities and the environment — the has enabled ExxonMobil — a large or- Leadership center of everything we do. Safety ganization that operates across diverse would come first, period. cultures and geographies — to be of Yet, OIMS by itself is only one part of one mind when it comes to safety and the equation. Even the best safety sys- It was the beginning of a long jour- risk management. I can visit a refinery, tems are not fully effective unless they ney for our company. And I should make a lab or an offshore platform anywhere exist as part of a broader culture of safe- it very clear: this is a journey that we in the world and immediately be on the ty within the people of the organization. have not completed. We know that we same page as the local employees and cannot rest or waver from the goal of contractors regarding safety practices While ExxonMobil and other energy driving accidents and incidents to zero. and expectations. companies use a lot of equipment — ev- And we’re not there. erything from steel pipe to supercomput- And I want to stress that the con- ers — it is people who bring this equip- But we have made significant prog- tractors that we work with are embed- ment to life. And people’s behavior is ress. And, as we have learned, for this ded within our OIMS processes as well. heavily influenced by their culture.

57 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

By instilling the value of safety in true. To get where we need to be on safe- performance across the organization. our employees from the first day of hire, ty, continuous improvement is essential. I have no doubt that every single employee ExxonMobil strives to create a work- shares this goal. ing environment in which safe behaviors In an industry such as ours — which are internalized; they’re reinforced; and operates 24 hours a day, around the world they’re rewarded. — the need to manage risk never ends. Risk/Change Even the best safety framework should be The culture of safety starts with viewed as a work in progress. Considering that many of ExxonMo- leadership — because leadership drives bil’s energy projects can span decades, behavior and behavior drives culture. Developing a culture of safety there- achieving the goal of a self-supporting, Leaders influence culture by setting ex- fore is not an event, but a journey. For sustainable energy culture means we pectations, building structure, teaching ExxonMobil, that journey began more must be flexible and adaptable to chang- others and demonstrating stewardship. than 20 years ago, when we put our global es in the operating environment. safety framework in place. And that is why the first element of As a result, management of change OIMS is “management leadership and ac- Once that framework became em- is a key component of our OIMS system. countability.” ExxonMobil managers are bedded in our organization, we saw the Our management of change process- expected to lead the OIMS process by culture start to change and the results be- es are designed to ensure that with any demonstrating a visible commitment to came evident in improved performance. In change in our business or operations, we safety and operations integrity. In addi- turn, this allowed us to move from imple- recognize the changed conditions, we ac- tion, safety leadership is a significant part menting the system to improving it. tively identify the new or changed risks, of how a manager’s overall performance and we apply our disciplined processes is evaluated. That’s when ExxonMobil’s culture for managing the risks and their potential was really transformed. Over the years, I consequences. As chairman and chief executive, I have seen people at all levels understand know that a commitment to safety and that our safety systems are put in place Risks are addressed and the change operational integrity begins with me for them, that they are about protecting is managed - typically through either and the rest of ExxonMobil’s manage- them and their coworkers and the public, technological solutions, or operating ment team. But management alone can- and not about catching people doing the changes in response to the potential risk. not — and should not — drive the entire things wrong. But most importantly, it is clear who owns culture. For a culture of safety to flour- the management of change and the sub- ish, it must be embedded throughout the Part of that transformation is recog- sequent risk management, and every em- organization. nizing that every employee’s job involves ployee and contractor is important to that some degree of risk management — even process. Therefore, safety leadership at Exx- those employees who work in office set- onMobil comes not just from supervisors tings. That is why OIMS extends even to These very deliberate, well-estab- and managers, but from employees and administrative locations. lished processes, embedded in OIMS, contractors, and through channels both have enabled ExxonMobil to pursue chal- formal and informal. When an organization reaches the lenging new resources and new develop- point where everyone owns the system ment projects with the confidence that we ExxonMobil’s goal is not simply to and believes in it, only then at that point, will do so safely and responsibly. have employees comply with safety pro- the culture of safety and operational in- cedures. A culture of compliance alone tegrity has been established that can be Such an approach is not only in the can lead to complacency. We seek to go sustained — when it enters the hearts and interests of employees and resource own- beyond compliance, to create a culture in minds of the people of the organization ers — but clearly it is also in the interests which employees are not only meeting the and becomes a very part of who we are. of our shareholders. safety procedures, but they are challeng- ing them so they can be improved wher- We often use the phrase at Exxon- ever needed. Mobil, “Nobody Gets Hurt” to describe Best Practices our safety objective. Some observers of our company question this; they say it Which leads me to my next point: Up- Achieving A Sustainable Culture of can’t be done. Well, it can be done. We holding the highest standards of safety Safety have operating units today that have gone and operational integrity is not just “the years without a recordable injury. right thing to do” — a phrase we some- I do not want anyone to think — in- times associate with an act of selflessness; side or outside our company — that pride Our challenge is to sustain that per- it is also in a company’s self-interest, be- in our safety systems means we can relax formance where it has been achieved, cause it makes for more competent, more our commitment. The exact opposite is and to replicate and grow that record of productive employees and organizations.

58 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

The rigor, discipline and degree of ronmental damage. If we don’t learn les- energy involves a high degree of risk; our accountability required to improve safety sons from this disaster, it will have been a employees operate some of the world’s performance are the same qualities that double tragedy. most complex technologies in some of the produce successful business results — world’s harshest environments. operationally and fiscally. As Chairman Reilly said at this com- mission’s first meeting back in July, we How we continue to progress techno- Safety is not proprietary. And for this must “come to grips with this disaster so logically while dealing with significant risk reason, ExxonMobil shares its best prac- we can never see its like again.” is that human progress does not mean tices within our industry, and across other avoiding risk; it means managing risk by industries. identifying it, and taking steps to mitigate MWCS it. No company — including my own — We seek to learn from others. After can lay claim to a one hundred percent the 2003 Columbia space-shuttle explo- I spoke earlier about risk manage- success rate in this endeavor. Yet that re- sion, ExxonMobil assembled a team of ment being a constant challenge. While mains our clear goal. engineers, scientists and safety experts to ExxonMobil believes that incidents like study the technological and organizational the Deepwater Horizon spill should not In closing, there are three points that factors that may have led to that disaster, happen if industry best practices are fol- I hope the Commission will consider in its and whether there were any lessons for lowed, the spill did expose that our nation, deliberations: First, a culture of safety has ExxonMobil’s operations. and the energy industry, could have been to be born within the organization. You better prepared for the possibility, how- cannot buy culture. You have to make it It is by constantly learning and analyz- ever remote, of a deepwater well blowout. yourself. ing — by looking to best practices in other That is why ExxonMobil is leading a multi- organizations, and by examining incidents company effort, along with my colleague Second, make no mistake: creating a and near-misses in our own organization [Marvin Odum, Shell] today, to build a new strong, sustainable safety culture is a long — that we continually improve our own rapid-response oil containment system in process. If an organization is truly going performance. the Gulf of Mexico. This system — involv- to overhaul its approach to safety, it has ing a $1 billion initial commitment from to be committed from day one. But, you the four sponsor companies — is unprec- can’t start until you start — and you’re Deepwater edented in our industry. It will provide pre- never going to finish. engineered, constructed, and tested con- I know this commission has heard a tainment technology and equipment to be Finally, I want to return to OIMS. lot about the importance of deepwater en- deployed within 24 hours of a deepwater I mentioned that there are eleven ele- ergy supplies, but it bears repeating. The spill in the Gulf. ments, all of which are fundamental to technology that has enabled our industry safe and responsible operations at Exx- to reach the oil and gas found in deepwa- In addition, ExxonMobil and other op- onMobil. But the first and last elements ter fields is one of the most significant -en erators in the Gulf of Mexico, in conjunc- — the bookends of OIMS — are the most ergy-security developments of the last 20 tion with the Department of Interior, have critical. years. Deepwater production, which did instituted new requirements regarding in- not exist prior to 1989, today makes up spection and certification of blowout pre- These are “Management Leadership 15 percent of all non-OPEC production. venters, well casing designs and cement- and Accountability”, and “Operations In- By 2030, it will grow to nearly 20 percent. ing procedures. tegrity Assessment and Improvement”. Along with Brazil and West Africa, the Gulf Without leadership by example and with- of Mexico is one of the most important I believe that these steps, in addition out thoughtful, honest and objective self- deepwater provinces in the world. to the inspections performed on all deep- assessment, no system is sustainable. water rigs in the months following the In 2008, there was more oil and gas Deepwater Horizon incident, will enable Our nation, and our world, continues discovered in deep water than in on- the Gulf region, and the entire country, to to face challenges. Meeting the world’s shore and shallow water combined. For continue to develop our nation’s energy growing demand for energy — safely, and the sake of our energy security, and the resources with confidence. with minimal impact on the environment economic growth and jobs that depend — is one of our biggest. In examining the on the production of these supplies, we causes of the Deepwater Horizon inci- simply cannot afford to turn our backs on Conclusion dent, this commission is helping advance this resource. our progress toward this goal. In concluding I’d like to share this Neither can we miss the opportunity thought: ExxonMobil is sometimes viewed ExxonMobil strongly supports your in- to improve safety in the Gulf of Mexico. as a cautious company; we’re sometimes quiry, and remains committed to support- The Macondo blowout cost 11 lives, and criticized for being too cautious. And yet, ing the cause of safety within our compa- billions of dollars in economic and envi- meeting the world’s growing demand for ny and beyond.

59 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Annex C EDUCATIONAL AND PROFESSIONAL TRAINING PROGRAMS

tificate Program in Space and Aviation includes online course content. Discus- C.1 Safety, and of regionally available web- sion forums via email, videoconferenc- based undergraduate courses on space ing, and live lectures (video streaming) SAFETY EDUCATION and aviation safety. It would provide in- are all possible through the web. Web- formation on possible instructors, and based courses may also provide static PROGRAM information with regard to the instruc- pages such as printed course materi- tional program and all pre-program and als. One of the values of using the web post program activities. The SSI Aca- to access course materials is that web he SSI education program could con- demic Program is very roughly outlined pages may contain hyperlinks to other Tsist of two main components: below and is subjected to change and parts of the web, thus enabling access refinement as part of the study process to a vast amount of web-based infor- ƒƒ Postgraduate Certificate in Space and based on key faculty availability, indicat- mation. A “virtual” learning environment Aviation Safety, ten weeks in-class ed need for educational courses in these (VLE) or managed learning environment disciplines as well as the result of other (MLE) is an all in one teaching and learn- ƒƒ Undergraduate courses on dedicated input from space agencies, aerospace ing software package. A VLE typically topics, 21 hrs/course, distant learning agencies, research centres, or universi- combines functions such as discussion ties that might participate. boards, chat rooms, online assessment, This study output would be a de- tracking of students’ use of the web, and finitive outline of the 18 Credit (Half of Web-based learning is often called course administration. VLEs act as any Masters) international Postgraduate Cer- online learning or e-learning because it other learning environment in that they

C.1.1 Postgraduate Certificate Courses

The 10-week postgraduate certificate will be split in: • “Human Spaceflight Module” of 5 weeks duration • “Space and Air Legal and Regulatory Module” of 1 week duration • “Space Operations Safety Module” of 4 weeks

Human Spaceflight Space and Air Legal and Regulatory Space Operations Safety Module Module Module (5 weeks) (1 week) (4 weeks) P1 P5 P5 Space Environment and Human Space & Aviation Treaties, Regulations and Range Safety, Spaceport Ground Safety, Performance Standards Air-launch Safety (2 credits) (1 credit) (3 credits) P2 P6 P6 Safety Design for Space Systems Air Traffic Management & Space Traffic On-orbit Safety (including case studies) Management (2 credits) (3 credits) (1 credit) P3 P7 Software Systems Safety Re-entry Software Systems Safety (2 credits) (3 credits) P4 System Safety Analysis Methods (3 credits)

60 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

C.1.2 Undergraduate/Postgraduates Courses (Web-based) C.2 U1 Elements of Industrial and Occupational Safety for Spaceports SPACE SAFETY U2 Orbital Debris Mitigation and Spacecraft Operations Safety

U3 Propellant and Explosive Systems Safety Design PROFESSIONAL

U4 Materials Safety and Oxygen Systems Design TRAINING PROGRAM

U5 Elements of Space Systems Design and Safety he courses duration would generally U6 Extra Vehicular Systems and Activities Safety Tvary from 12 hours to 30 hours, they would be mainly web-based, but few U7 Aviation Airworthiness Certification may be in-class. U8 Safety of Nuclear Spacecraft Systems 1) System Safety Engineering U9 Accidents Investigation 2) Commercial Human Spaceflight U10 Space Traffic Management Safety U11 Air Traffic Control 3) Launch Safety Analysis U12 Safety Management System and Safety Culture 4) Re-entry Safety Analysis U13 Cognitive Functions and Human Error

U14 Astronauts Selection and Training 5) Space Debris

U15 Human Reliability Analysis Methods 6) Explosive safety

U16 Space Operations Safety 7) Software System Safety U17 Cosmic Hazards and Planetary Defence 8) Safety Management System

10) Quality Assurance for Space distribute information to learners. VLEs The features of a typical web-based Projects can, for example, enable learners to col- course are: laborate on projects and share informa- 11) Reliability for Space Projects tion. However, the focus of web-based ƒƒ Course information, notice board, courses must always be on the learner. timetable 12) Configuration Management for Technology is not the issue, nor neces- Space Projects sarily the answer. ƒƒ Curriculum map 13) Risk Management for Safety Several approaches can be used to ƒƒ Teaching materials such as slides, Engineer develop and deliver web-based learning. handouts, articles These can be viewed as a continuum. 14) Liabilities and Maximum Probable At one end is “pure” distance learning ƒƒ Communication via email and Loss (MPL) Calculation (in which course material, assessment, discussion boards and support is all delivered online, with no face to face contact between stu- ƒƒ Formative and summative dents and teachers). At the other end is assessments an organizational intranet, which repli- cates printed course materials online to ƒƒ Student management tools (records, support what is essentially a traditional statistics, student tracking) face to face course. However, websites that are just repositories of knowledge, ƒƒ Links to useful internal and external without links to learning, communica- websites (library, online databases, tion, and assessment activities, are not and journals) learner centred and cannot be consid- ered true web-based learning courses.

61 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

Annex D ESSENTIAL FEATURES OF A SELF-POLICING SAFETY ORGANIZATION FOR THE OIL AND GAS INDUSTRY Excerpt (pages 241-242) from Report to the President National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling January 2011

ike the nuclear power industry in 1979, two types of industries warrant signifi- sources, and complete freedom from Lin the immediate aftermath of the Three cant differences in the precise structure any suggestion that its operations are Mile Island accident, the nation’s oil and and operation of their respective indus- compromised by multiple other interests gas industry needs now to embrace the try safety institutes. But, as elaborated and agendas. As a consensus-based or- potential for an industry safety institute below, the basic, successful principles ganization, the American Petroleum In- to supplement government oversight of upon which the INPO model is premised stitute (API) is culturally ill-suited to drive industry operations. Akin to INPO, such can serve as the touchstones for the oil a safety revolution in the industry. For a new safety institute can provide the na- and gas industry in establishing its own. this reason, it is essential that the safety tion with the assurances of safety nec- enterprise operate apart from the API. essary to allow the oil and gas industry Credibility. To be credible, any indus- As described above and in Chapter 3, access to the nation’s energy resources try-created safety institute would need API’s longstanding role as an industry on the outer continental shelf. To be sure, to have complete command of techni- lobbyist and policy advocate, with an the significant differences between the cal expertise available through industry established record of opposing reform and modernization of safety regulations, renders it inappropriate to serve a self- policing function. In the aftermath of the Deepwater Horizon tragedy, the Com- mission strongly believes that the oil and gas industry cannot persuade the Ameri- can public that it is changing business- as-usual practices if it attempts to fend off more effective public oversight by chartering a self-policing function under the control of an advocacy organization.

An industry-wide commitment to rigorous auditing and continuous im- provement. The INPO experience makes clear that any successful oil and gas indus- try safety institute would require in the first instance strong board-level support from CEOs and boards of directors of member companies for a rigorous inspection and auditing function. Such audits would need to be aimed at assessing companies’ safety cultures (from design, training, and operations through incident investigation and management of improvements) and Former EPA Administrator William Reilly (L) and former U.S. Sen. Bob Graham, co-chairs of the National Com- encouraging learning about and imple- mission on the BP Deepwater Horizon Oil Spill and Offshore Drilling. December, 2, 2010, in Washington, DC. mentation of enhanced practices.

62 THE SPACE SAFETY INSTITUTE PROPOSAL FOR A MODERN INDUSTRY-GOVERNMENT PARTNERSHIP TO ADVANCE COMMERCIAL SPACEFLIGHT SAFETY

As at INPO, the inspection and au- standards and performance, measured globally, including (but not exclusive- diting function would need to be con- against global benchmarks. The means, ly) those set by the API. An initial set ducted by safety institute staff, com- to that end, include the safety auditor’s of standards and scope of operation. plemented by experts seconded from reviews; insurer evaluations of risk; and The industry needs to benchmark safe- industry companies, able to analyze the management recognition of and incen- ty and environmental practice rules full range of technologies and practices, tives for effective behavior. Senior lead- against recognized global best practic- and designed to promote cross company ership would be accountable to the com- es. The Safety and Environmental Man- learning and shared responsibility while pany’s board of directors, who in turn agement Program Recommended Prac- protecting proprietary information There would be accountable to investors. tice 75 (API RP 75) developed in 1993 would also need to be a commitment to by the API and incorporated by refer- share findings about safety records and In a broader sense, the industry’s ence in the Department of the Interior’s best practices within the industry, ag- safety institute could facilitate a smooth new workplace safety rules, adopted in gregate data, and analyze performance transition to a regulatory regime based October 2010, is a reasonable starting trends, shortcomings, and needs for on systems safety engineering and im- point. 172 Updates to those safety rules further research and development. Ac- proved coordination among operators are needed immediately, but a new in- countability could be enhanced by a re- and contractors—the principles of the dustry safety institution could make a quirement that companies report their U.K.’s “safety case” that shifts respon- credible start by requiring members to audit scores to their boards of directors sibility for maintaining safe operations adopt all safety standards promptly, and insurance companies. at all times to the operators themselves. and mandating that the companies, in It should drive continuous improvement turn, require that their contractors and The main goal is to drive continu- in standards and practices by incorpo- service providers comply with the new ous improvement in every company’s rating the highest standards achieved safety rules.

NOTES & REFERENCES

1. NOTE: Sections: 1.1, 1.2, authored by Prof. President. worth-Heinemann. Nancy Leveson (MIT Boston), and previously 9. Duarte, A. (2007) Engineering and Safety 18. NASA NPR 8705.2C (2017) Human-Rating published as part of the IAASS book Space Partnership Enhances Safety of the Space Requirements for Space Systems. Safety and Human Performance, Elsevier Shuttle Program, 2nd IAASS Conference: 19. NASA NSTS 1700.7B (1989) Safety Policy (2017) Space Safety in a Global World; 14-16 May and Requirements. 2. NOTE: Sections 1.3, 2.1, 2.2, 4.2, 4.3, au- 2007; Chicago, IL; United States. 20. NASA/SP-2014-3705 (2014) NASA Space thored by Tommaso Sgobba (IAASS), and 10. ESMD-CCTSCR-12.10 (2010) Commercial Flight Program and Project Management previously published as part of the IAASS Crew Transportation System Certification Handbook. book Space Safety and Human Performance, Requirements for NASA Low Earth Orbit 21. National Academy of Sciences, (1988), Post- Elsevier (2017) Missions. Challenger Evaluation of Space Shuttle Risk 3. NOTE: Chapter 3 is based on excerpts from 11. Gehman, H., et. al. (2003) Report of Columbia Assessment and Management. Commit- Standards, Conformity Assessment, and Accident Investigation Board. tee on Shuttle Criticality Review and Hazard Trade Into the 21st Century (1995), Policy Proj- 12. Hale, W. (2010) Wayne Hale's Blog: Human Analysis Audit, Space Applications Board, ect Committee, Board on Science, Technol- Rating a Spacecraft. http://www.spaceref. Commission on Engineering and Technical ogy, and Economic Policy, National Research com/news/viewsr.html?pid=33584 Systems, National Research Council, Nation- Council, The National Academies Press. 13. Hall, J. L., (2003) Columbia and Challenger: al, National Academy Press. 4. Barriero, J., J. Chachere, J. Frank, Ch. Bertels, organizational failure at NASA, Elsevier. 22. National Commission on BP Deepwater A. Crocker (2010) Constraint and Flight Rule 14. http://theconversation.com, (2014) Deepwa- Horizon Oil Spill and Offshore Drilling, (2011) Management for Space Mission Operations, ter Horizon four years on and offshore safety 23. Green, P., Why safety and Human Factors/ SAIRAS 2010, Sapporo, Japan. remains questionable. Ergonomics standards are so difficult to es- 5. Blind. K. (2013) The Impact of Standardization 15. Kemeny, J. (1979) Chairman President’s tablish. University of Michigan Transportation and Standards on Innovation, Nesta Working Commission on the Accident at Three Mile Research Institute (UMTRI), Michigan, USA Paper 13/15. Island. Final Report. 24. Rogers, W., et. al. (1986). Report of the Presi- 6. Clifton, A. E. (2005) Hazard Analysis Tech- 16. Miller, J., J. Leggett, J. Kramer-White (2008) dential Commission on the Space Shuttle niques for System Safety, John Wiley & Sons, Design Development Test and Evaluation Challenger Accident. Inc. (DDT&E) Considerations for Safe and Reli- 25. Sperber, K. P. (1973) NASA TN D-7438 Apollo 7. Thornton, C., The Triumph of Risk manage- able Human Rated Spacecraft Systems. Experience Report Reliability and Quality ment. https://www.mangolive.com/blog- NASA/TM-2008- 215126/Vol II NESC-RP- Assurance. mango/triumph-of-risk-management 06-108/05-173-E/Part 2. 26. Tremayne, D. (2000) The science of safety, 8. Deep Water (2011) The Gulf Oil Disaster and 17. Musgrave G., A. Larsen, T. Sgobba (2009) the battle against unacceptable risk in motor the Future of Offshore Drilling, Report to the Safety Design for Space Systems Butter- racing. UK, Haynes Publishing.

63 SPACE SAFETY INSTITUTE STUDY TEAM

The Study Team will review this report to validate the concept of establishing a Space Safety Institute for commercial human spaceflight. The Study Team will also study and make recommendations about set-up and funding of the proposed Space Safety Institute, in particular the feasibility as Federally Funded Research and Development Center (FFRDC),

STUDY TEAM MEMBERS

Dr. George C. Nield Dr. George C. Nield served as the Associate Administrator for Commercial Space Transportation at the Federal Aviation Administration (FAA) from 2008-2018. Under his leadership, the office had the mission to ensure public safety during commercial launch and reentry activities, as well as to encourage, facilitate, and promote commercial space transportation. Dr. Nield has over 35 years of aerospace experience with the Air Force, at NASA, and in private industry.

Edward J. Mango Edward J. Mango served as the NASA program manager for the Commercial Crew Program (CCP) at NASA’s Kennedy Space Center in Florida. The Commercial Crew Program is leading NASA’s efforts to develop the next United States capability for crew transportation and rescue services to and from the International Space Station (ISS) and other low-Earth orbit destinations by the middle of the decade. The outcome of this capability is expected to stimulate and expand the U.S. space transportation industry.

Richard W. McKinney Richard W. McKinney served as Deputy Under Secretary of the Air Force for Space and the Director, Executive Agent for Space Staff, Washington, D.C. He provided the principal support to the Under Secretary’s role as the Headquarters U.S. Air Force focal point for space matters and in coordinating activities across the Air Force space enterprise. Additionally, he directed the headquarters staff responsible for space policy, issue integration and strategy.

Dr. James W. Wade Dr. James Wade is Vice President, Corporate Mission Assurance at Raytheon. He leads the end-to-end Mission Assurance, Quality, and continuous improvement efforts across the company. Raytheon Company is a technology and innovation leader specializing in defense security and civil markets throughout the world. Dr. James Wade joined Raytheon in 2010 from MIT Lincoln Laboratory where he was the head of its Safety and Mission Assurance Office.

Christopher T.W. Kunstadter Chris Kunstadter is Senior Vice President and Global Underwriting Manager – Space at AXA XL, and manages AXA’s space insurance portfolio. He is actively involved in all aspects of AXA’s space business. Chris has worked closely with satellite operators and manufacturers, launch providers, and government agencies to enhance industry understanding of space risk management issues, and has served on numerous failure review boards for satellites and launch vehicle.

IAASS-ISSF STUDY SUPPORT TEAM MEMBERS

Dr. Michael Kezirian Dr. Michael Kezirian is President of the International Space Safety foundation (ISSF). Dr. Kezirian was an Associate Technical Fellow at the Boeing Company most recently supporting the development of the Boeing Starliner CST-100. Previously he was a design analyst for the Nitrogen Oxygen Recharge System (NORS) for the International Space Station (ISS). He was the Boeing Vehicle Safety Lead for the Shuttle Orbiter Endeavour.

Tommaso Sgobba Tommaso Sgobba is Executive Director of the IAASS. Until 2013 Tommaso Sgobba was head of Independent Safety Office at the European Space Agency (ESA), responsible for human-rated systems safety certification, spacecraft re-entry, space debris, and planetary protection. Before joining ESA in 1989, he worked for 13 years in aviation as quality assurance manager.